Reply
New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

@

 

 

admin@USG:~$ show firewall modify statistics

--------------------------------------------------------------------------------

 

IPv4 Firewall "LOAD_BALANCE"  [LOAD_BALANCE]

 

Active on (eth0.200,IN) (eth0.250,IN) (eth0.254,IN) (eth0.255,IN) (eth0.20,IN) (eth0.100,IN) (eth0.110,IN) (eth0,IN)

 

rule  packets     bytes       action  description

----  -------     -----       ------  -----------

2500  306790      408054983   ACCEPT 

2510  222         53561       MODIFY 

2520  136         46555       MODIFY 

3001  122         5468        ACCEPT 

3002  0           0           ACCEPT 

3003  244297744   339316258256  ACCEPT 

3004  12360       9531665     ACCEPT 

3005  0           0           ACCEPT 

3006  0           0           ACCEPT 

3007  0           0           ACCEPT 

3008  0           0           ACCEPT 

3009  0           0           ACCEPT 

3010  0           0           ACCEPT 

3011  0           0           ACCEPT 

3012  0           0           ACCEPT 

3013  0           0           ACCEPT 

3014  1492458     250593525   MODIFY 

10000 4301441     1483285309  ACCEPT  DEFAULT ACTION

New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

@I got it working

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

Cool - I was going to comment, you might want to change table 1 to table 2 or higher, there's multiple issues with table 1 atm when configuring policy routing.
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

[ Edited ]

@UBNT-jaffe Now with this setup the guest network can't resolve with the corporate internal DNS.

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

You'll need:

set firewall modify LOAD_BALANCE rule 2490 action accept
set firewall modify LOAD_BALANCE rule 2490 destination group network-group corporate_network
set firewall modify LOAD_BALANCE rule 2490 source group network-group guest_network


If you SSH to the USG and type:

show configuration commands | match LOAD_BALANCE

It will show you all of the rules for that modify ruleset. Anything with "action accept" bypasses policy routing entirely and just follows the main routing table. Anything that doesn't match those source/destination combos hits the last rule which is "action modify" and modifies it to make sure it follows the load-balance you have setup (or failover only). If you spot anything else in there that you might need like remote user vpn to site to site VPN, you'll just need to add it before your 2510 and 2520 rule. Your 2510 and 2520 rule are processing before all of the 3000+ rules. I know that it'd be easier to just make your 2510 and 2520 rule at the "end" of the ruleset to prevent having to rewrite these rules with a smaller number, but I haven't found a way to do that efficiently yet because of the "action modify" rule at the end, it leaves no gap or space between the "action accept" rules.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

Thanks!
I was looking for this command the
show configuration commands | match
Emerging Member
Posts: 62
Registered: ‎01-30-2016
Kudos: 12

Re: USG, Multi-WAN, Policy-based routing.

I'm trying to get a proof of concept working with an USG and dual WAN connection.

The goal is to connect from laptop B on the LAN to laptop A on "the internet".

As I don't have 2 internet connections I've used an ER-3 Lite to create that other internet.

 

POC network.png

 

When I connect laptop B directly to the ER-3 Lite, I can connect to Laptop A.

 

When I connect laptop B to the LAN, I can't.

 

I've used these commands to configure the USG (with firmware 4.4.22):

configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.168.1.1
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 5
set firewall modify LOAD_BALANCE rule 3000 destination address 192.168.10.0/24
set firewall modify LOAD_BALANCE rule 3000 protocol all
commit;exit

Show firewall modify statistics shows that rule is being hit.

But there is no connection possible.

 

When I add a static route on the USG for subnet 192.168.10.0/24 with next-hop 192.168.1.1 I am able to ping 192.168.10.254 from the USG. But still not from the LAN.

 

What am I missing?

 

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@unipro I'm confused when you say you added a static route. You don't need to use the manual CLI rules at all when you're configuring a route based on the destination, you can just use the static route page in the GUI. When you create the static route in the GUI, it will auto-configure firewall rules on LAN_IN to accept traffic destined to that particular subnet (192.168.10.0/24).

If you're pinging from the USG itself, the packets only hit the firewall OUT rulesets, which are all default accept, but when you ping from Laptop B, the firewall will process the packet first on LAN_IN. Try deleting the CLI stuff and only use the GUI static route, and also try pinging 192.168.10.1 from laptop B. 

Also - you didn't remove any NAT rules for WAN2, correct? If you did, the ER 3 lite would need a static route for 10.10.10.0/24. And also make sure the ER 3 lite doesn't have any firewall block rules or default deny in play.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Emerging Member
Posts: 62
Registered: ‎01-30-2016
Kudos: 12

Re: USG, Multi-WAN, Policy-based routing.

@UBNT-jaffe Now I'm confused also. I started my journey with a static route via the GUI. But that didn't work. Laptop B could not connect to laptop A. Then I found out that I should used policy based routing instead. (It's somewhere on the forum here.)

So I used the CLI to add the PBR rules. That doesn't work either.

 

I haven't changed any NAT rules for WAN2. That's all default. The firewall rules in the ER-3 lite are correct in my opinion, because it all works when I connect laptop B to eth0 on the ER-3 lite.

 

You also mention firewall rules in the USG. I haven't made any changes in that firewall.

I don't think I should, because it's a normal outgoing connect from LAN to WAN. Except this time it's WAN2 instead of WAN1. If I should make firewall rules, which rules do you suggest?

 

 

Emerging Member
Posts: 62
Registered: ‎01-30-2016
Kudos: 12

Re: USG, Multi-WAN, Policy-based routing.

My problem is solved. It didn't work because the firewall was blocking access. The rule "Block inter-VLAN" routing doesn't allow my 10.10.10.0/24 subnet to the 192.168.10.0/24 subnet. 

Figured it out by adding lots of firewall rules with logging so it could finally see where traffic was heading to.

 

But the static route still fails to work. I had to use policy based routing to get it working.

New Member
Posts: 12
Registered: ‎07-01-2017
Kudos: 2

Exclude one host from load balancing

Hi,

 

unfortunately i still fail at policy based routing.

I'd like to force all outgoing traffic from 192.168.64.2 (my VoIP client) over WAN1 (which uses PPPoE).

 

These are the latest (failing) config changes:

 

 

user@Gateway# show protocols static       
 interface-route 0.0.0.0/0 {
     next-hop-interface pppoe2 {
         distance 1
     }
 }
 interface-route6 ::/0 {
     next-hop-interface pppoe2 {
         distance 1
     }
 }
 table 5 {
     route 0.0.0.0/0 {
         next-hop 62.155.242.44 {
         }
     }
 }

 

 

 

user@Gateway# show firewall modify LOAD_BALANCE rule 2450
 action modify
 modify {
     table 5
 }
 source {
     address 192.168.64.2
 }

I am really desperate right now and appreciate any help - heck - I'll PayPal you a beer if you get this running!

Member
Posts: 157
Registered: ‎05-19-2017
Kudos: 21
Solutions: 1

Re: Exclude one host from load balancing

[ Edited ]

Try this it worked for me. Change the source address to reflect your network. In my setup there are two pppoe connections.

 

Receptie / Admin netwerk dedicated op ADSL verbinding in receptie zetten		
set load-balance group wan_failover_24 interface pppoe0		
set load-balance group wan_failover_24 interface pppoe0 weight 99		
set load-balance group wan_failover_24 interface pppoe1		
set load-balance group wan_failover_24 interface pppoe1 weight 1		
commit		
set firewall modify LOAD_BALANCE rule 1900 description 'traffic from vlan 24'		
set firewall modify LOAD_BALANCE rule 1900 source address 192.168.24.0/24		
set firewall modify LOAD_BALANCE rule 1900 modify lb-group wan_failover_24		
commit		
		
To cancel	
		
delete load-balance group wan_failover_24		
delete firewall modify LOAD_BALANCE rule 1900		
commit		
		
		

  

New Member
Posts: 12
Registered: ‎07-01-2017
Kudos: 2

Re: Exclude one host from load balancing

Finally got it working. Trick was to use "next-hop-interface".

 

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"rule": {
					"2450": {
						"action": "modify",
						"modify": {
							"table": "2"
						},
						"source": {
							"address": "192.168.64.2"
						}
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"2": {
					"interface-route": {
						"0.0.0.0/0": {
							"next-hop-interface": "pppoe2"
						}
					}
				}
			}
		}
	}
}
New Member
Posts: 23
Registered: ‎03-29-2016
Kudos: 4

Re: USG, Multi-WAN, Policy-based routing.

On this topic of Dual WAN and failover situations, I have the following:

 

1WAN primary for all traffic
2WAN failover for VoIP phones only (using LTE DATA)

 

VoIP Network is on a seperate vLan and in regular operation all traffic including voip goes over WAN1.
If WAN1 fails and failover switches to WAN2 I want only the VoIP vLan to be able to exit. (not to incurr DATA overage)

 

Can I do this through the GUI so configuration is perserved after upgrades...
Something simple as a Firewall rule that block the regular LAN to EXIT over WAN2?

 

Suggestions are very welcome. Tried to get some help over Ubnt chat but that was waste of time. :/

New Member
Posts: 1
Registered: ‎09-05-2016
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

I'm trying to figure out how to allow only a specific vlans to use the failover WAN2 link

 

WAN1 is my primary for all traffic, and WAN2 is failover for VoIP & Security vlans only

 

How would I go about restricting the traffic on the failover WAN2 link to only a couple of vlans?

 

Reply