Hi all,
I am having difficulties with getting the PBR working...
Basically I have 2 routing tables, and a modify rule on IN f the switch0 to modify the routing based on the ip address of the client.
The idea was that the "VPN_Group" will use table 1 which will route the traffic to vtun1 while the other clients from 192.168.1.0/24 will go to the A.B.C.D what will send them to the internet via my ISP.
The relevant parts of the config are as below:
FW RULE:
modify SOURCE_ROUTE {
enable-default-log
rule 10 {
action modify
description "Traffic from VPN_Group to vtun1"
log enable
modify {
table 1
}
source {
group {
address-group VPN_Group
}
}
}
rule 20 {
description "TO UVT"
modify {
table 2
}
source {
address 192.168.1.0/24
}
}
}
IFACE:
openvpn vtun1 {
config-file /config/pvpn_swiss_tcp.ovpn
description PureVPN
firewall {
in {
name VPN_IN
}
local {
name VPN_TO_ROUTER
}
}
mode client
}
switch switch0 {
address 192.168.1.1/24
firewall {
in {
modify SOURCE_ROUTE
}
}
mtu 1500
switch-port {
interface eth2
interface eth3
interface eth4
}
ROUTES:
maara@kipp:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [1/0] via A.B.C.1, eth0
C *> 0.0.0.0/16 is directly connected, vtun0
C *> 0.0.0.0/27 is directly connected, vtun1
C *> A.B.C.0/24 is directly connected, eth0
C *> 127.0.0.0/8 is directly connected, lo
C *> X.Y.Z.Z/27 is directly connected, vtun1
C *> 172.17.0.0/16 is directly connected, vtun0
C *> 192.168.1.0/24 is directly connected, switch0
C *> 192.168.2.0/24 is directly connected, switch0.200
protocols {
static {
route 0.0.0.0/0 {
next-hop A.B.C.D {
}
}
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun1 {
}
}
}
table 2 {
route 0.0.0.0/0 {
next-hop A.B.C.D {
}
}
}
}
}
DNS:
dns {
forwarding {
cache-size 100
listen-on switch0
listen-on eth1
listen-on switch0.200
listen-on vtun0
}
}
NAT:
rule 5000 {
description "Masq for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5001 {
description "Masq VTUN1"
log disable
outbound-interface vtun1
protocol all
source {
group {
address-group VPN_Group
}
}
type masquerade
}Well.... It work somehow, sometimes and I don't know why....
The clients where I aply the rule no. 2 are ok but those having rule 1 can't sometimes access the internet...
At the time I am writing this post, both "groups" of IP's can access the net:
Table 1:
traceroute to www.google.com (173.194.65.104), 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 0.427 ms 0.461 ms 0.369 ms 2 X.Y.Z.Z (X.Y.Z.Z) 26.513 ms 26.613 ms 32.014 ms (the vtun1)
Table 2:
tracepath www.google.com 1?: [LOCALHOST] pmtu 1500 1: 192.168.1.1 5.736ms 1: 192.168.1.1 2.141ms 2: A.B.C.D 3.796ms
Thats the result I am expecting but yesterday, when I was configuring it, the firewall rule triggered but clients using Table 1 were hitting host resolution problems etc.
I'd need help with following:
1) Is my solution reliable? - The way how its configured makes sense to me but I can't explain the issues I had.
2) How do I set up a NAT rule for one port going vtun1 <-> local ip address of a client already in VPN_Group?
I have opened the port in the VPN_IN ruleset which is on in chain of the vtun1 and tried to set
Then I set the NAT rule in the common feshion:
nat {
rule 1 {
description Transmission
destination {
group {
address-group ADDRv4_vtun1
}
port 51413
}
disable
inbound-interface vtun1
inside-address {
address 192.168.1.17
port 51413
}
log enable
protocol tcp_udp
type destination
}...the port still acted as closed even while properly opened and natted by the VPN provider.
3) When I remove
S *> 0.0.0.0/0 [1/0] via A.B.C.1, eth0
Its no working... Why? - I thought that as long as the rule is set to apply table 2, I don't need this one..
Thank you very much for your help guys!!