Questions tagged [policy-routing]
Policy-Based-Routing is a more complex form of the ordinary routing table
97 questions
0
votes
0
answers
237
views
linux ip rules for vrf VS ip rules for policy routing table
i have found my self a bit confused about how ip rules differ between VRF and policy routing table
=============== policy routing table part ===============
here i have an example that is ...
- 1
0
votes
0
answers
126
views
Packet marking not working for ICMP and UDP
For context, I'm configuring a VPN on a web proxy server (let's call it "SERVER1") using policy-based routing and iptables. I have two interfaces on SERVER1:
eth0 for local network -- local ...
- 185
0
votes
0
answers
37
views
how to route 2 wiregurds over 2 connections at the same time (eth0/wlan0)
The setup I have:
wg0 should go over eth0 and wg0-client should go over wlan0 interface.
Wireguard and interfaces are connected without a problem, but what is happening is that traffic on wg0-client ...
0
votes
1
answer
46
views
Mangling (routing mark) not working on iptables as excepted
I'm playing around with iptables, using it as some kind of "DMZ firewall" in my home lab. My server has two interfaces (connecting to two different virtual firewalls) and because of that, I ...
- 21
2
votes
1
answer
138
views
why ip rule added with priority 0
I'm having strange behaviour on ubuntu server where any new 'ip rule' added is added with priority zero.
I add the rules with no priority and it used to be added to available priority.
Expected ...
3
votes
1
answer
7k
views
Prevent routing loop with FwMark in Wireguard
I want to set up a VPN server so that the VPN connection is used only when accessing resources within the server. Normally, I'd do this by using the server's internal IP, but I want to use the domain ...
- 33
0
votes
1
answer
295
views
How to mirror traffic and remove duplicate at destination
I would like to send same trafic over two vpns (udp), to the same server (ubuntu 22.04 with two different WAN interfaces).
/-WAN1-> VPN1 client-\
App-server <-> ...
0
votes
0
answers
340
views
RouterOS 7: Configure the Wireguard server to support connections by different WAN access IP
RouterOS 7 router with two WAN ports, WAN2 and WAN3(I can access Winbox with both of these WAN IPs without any issues), and set up a Wireguard (WG) service. I can successfully connect to WG by the ...
- 729
3
votes
1
answer
3k
views
Why is Linux policy-based routing (PBR) not working for ping?
First of all, it seems as if this question is about Linux, but it seems to me that it is about basic routing concepts.
I happen to have the following configuration:
What I am trying to do is to ...
- 33
0
votes
0
answers
202
views
With iptables, is it possible to route only certain domains?
I'm routing specific devices through a separate gateway device that connects to a Tailscale VPN exit node.
I'm using this command so my device can act as NAT router to Tailscale:
sudo iptables -t nat -...
- 143
0
votes
1
answer
2k
views
How to route a reply packet to the device it coming from?
I have an ipip tunnel, I want all the reply packets coming from ipip device also going through ipip. I have tried the following iptables rules
sysctl -w net.ipv4.ip_forward=1
ip rule add fwmark 1 ...
1
vote
1
answer
4k
views
WireGuard policy-based routing
This question is about configuring a WireGuard relay that routes all its peer's traffic to another WireGuard server, but the relay itself does not use that WireGuard server as the default gateway.
I ...
- 33
1
vote
0
answers
507
views
DHCP pushed route to custom table on Linux
Is there a way I can direct routes that I receive from DHCP to a specific routing table depending on what interface it was received on?
E.g. eth0 and eth1 are both configured by DHCP. I would like the ...
- 11
0
votes
0
answers
477
views
Linux Gateway Policy Routing and TCP MSS Issue(maybe)?
I have an Ubuntu 20 machine as an internet gateway with two WANs ens160 and ens192. I switch the default route on the gateway like ip r re 0/0 dev160(or ens192) and the clients on the LAN access the ...
- 729
0
votes
1
answer
125
views
How to deal with DNS requests when using multiple OpenVPN connection and policy based route?
I have 2 subnets in my local network (192.168.4.0/24, 192.168.5.0/24), but only 1 gateway server (192.168.4.223) which has 2 OpenVPN connections (10.100.2.6/24, 10.100.3.6/24). The topology is like:
...
- 1
1
vote
1
answer
840
views
Where does the configuration for routing rules come from on boot?
I am on RHEL7 with NetworkManager disabled and no additional legacy scripts installed.
Meaning, that I still use:
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/route-eth0
/...
- 13
4
votes
2
answers
6k
views
Wireguard use one client as gateway of another
I have a Wireguard VPN setup that basically looks like this:
P1 ---- S ---- P2 --- Internet
IP addreses:
P1 = 10.200.1.5
S = 10.200.1.1
P2 = 10.200.1.3
I am redirecting all traffic of P1 to S by ...
- 197
1
vote
0
answers
331
views
How to whitelist egress traffic with a NetworkPolicy that doesn't prevent Apache Ignite from starting up?
I have some more or less complex microservice architecture, where Apache Ignite is used as a stateless database / cache. The Ignite Pod is the only Pod in its Namespace and the architecture has to ...
- 131
1
vote
0
answers
471
views
Mac OS built-in VPN client Routing Table issues (Cisco IPSEC)
I have a Macbook Big Sur 11.5.2 and I’ve spent now quite some on this particular issue but I cannot figure it out. I need some help from people that are more expert than me on the matter.
Background ...
- 41
1
vote
2
answers
5k
views
Multiple wireguard tunnels to same server how to force different interfaces
I have multiple wan links on my router and I'd want a wireguard tunnel on each wan interface to the same server.
I started different working tunnels to the server using different destination ports, ...
- 133
0
votes
1
answer
410
views
Diagnosing a Linux routing issue: multiple external IPs and several internal subnets with multiple routing tables
This is my first post on stack exchange. First, I'd like to thank this community for over my computer engineering journey I have learned many things here. :)
With this post I am mainly looking for ...
4
votes
2
answers
4k
views
Ubuntu 18.04 policy based routing: netplan does not populate routing table
I have 2 network interfaces - 1 connected to internal network and 1 connected to external network, both interfaces acquire their IP from DHCP.
By default traffic goes through internal network and ...
- 41
0
votes
0
answers
68
views
VPN client IP masking
at our company we are facing a particular routing problem, for which I have found many related questions and answers for parts, but not for the whole.
This is the scenario:
our office has a fixed IP ...
- 101
3
votes
2
answers
4k
views
Why an iptables NAT does not happen in the network namespace separated transparent proxy setup?
I'm trying to setup transparent proxying networks on my host.
Real Client and Proxy targets are containters but in this experiment
I use netns (network namespace) separated envinroment.
To redirect ...
- 133
2
votes
1
answer
855
views
Rechability of different interfaces without having a route in a seperate routing table
We're currently trying to route all packets from our guest vlan's (eth1.251) subnet trough a wireguard tunnel into the internet. To accomplish this we're using policy based routing with a rule to use ...
- 165
2
votes
1
answer
12k
views
Response packet on the same interface as incoming in LAN
Currently, I'm struggling with the following scenario:
I have a server with 2 interfaces in 2 separate LAN subnets. IF1, IF2
I have a laptop which has an IP address from the first subnet
When I try ...
- 151
1
vote
1
answer
6k
views
Ping does not work on TAP interfaces with bridge
I am trying to understand the linux bridging and local ip rules,
I have following topology on my linux laptop.
br0
___________|__________
| |
|tap0 ...
- 113
0
votes
1
answer
500
views
OpenVPN gateway does not reply on IPv6 ping, but does forward package
I am trying to debug my IPv6 network and ran into an issue that I can't understand.
I am using OpenVPN as my VPN server and here is a short diagram of the setup:
All packages are dropped, when I try ...
- 1,253
1
vote
2
answers
2k
views
VPN client doesn't have internet connection
I'm using Ubuntu 18.04 LTS on AWS and I'm trying to setup split tunneling using commercial VPN (PIA).
I'm unable to use their .opvn configuration out of the box because when I do so my SSH connection ...
- 41
3
votes
1
answer
1k
views
How to group interfaces for the purpose of using ip-rule's suppress_ifgroup feature?
I found out about ip-rule's "suppress_ifgroup X" feature which seems to allow me to tell the kernel to ignore a route from the given table with an outgoing interface that belongs to that group X. But ...
- 143
1
vote
2
answers
1k
views
Routing packets based on which port client is connected to
I have a debian server with one incoming interface (eth1) and three modems (modem1, modem2, modem3). There's an instance of squid on this server, listening on three consecutive ports (3128, 3129, 3130 ...
- 11
2
votes
0
answers
242
views
Setting up openVpn as an interface rather than routing all traffic from paid vpn
I have subscribed to a VPN provider that's provides openVpn config files.
Now instead of routing all traffic through this VPN, I would like to simply set it up as another interface where the ...
- 121
1
vote
0
answers
649
views
Use iptables to load balance between multiple AWS elastic network interfaces
Environment: Amazon EC2 m4.4xlarge, running Amazon Linux 2 AMI 2.0
I would like to use iptables to load balance https requests between a set of elastic IPs that are assigned to multiple Amazon ...
2
votes
1
answer
2k
views
Docker symmetric/policy-based routing
Background
I have a debian server that has 3 network interfaces which are:
eno1 (10.0.0.35/24)
eno1.10 (10.0.10.65/24)
eno1.40 (10.0.40.40/24)
Between those interfaces is a firewall. The multiple ...
- 23
8
votes
1
answer
8k
views
ip rule and route doesn't get respected
I'm trying to route packets based on their source address, and have added the following:
# ip rule add from 10.10.10.0/16 dev eth0 table foobar
# ip route add default via 100.100.100.1 dev eth0 table ...
- 419
1
vote
1
answer
2k
views
Policy-based routing - neither rules nor routes get picked-up by CentOS 7.6.1810
I have 2 VLANs over a bonded connection I can't get to work with policy-based-routing. Actually I can make them work manually, but I'm unable to persist the configuration in order to survive reboots. ...
- 145
0
votes
1
answer
807
views
Implementing Segment Routing Traffic Engineering (SR-TE) in IOS XR 6.3.1
I'm trying to deploy SR-TE on XRv9000 routers IOS XR 6.3.1 version which are deployed in AWS according to the topology below.
I have accomplished the configuration of SR on all routers which is ...
- 139
0
votes
1
answer
315
views
Policy based routing priority behaviour
I have a quick question regarding the behaviour of priority when using policy based routing. I'm running Ubuntu 18.04 (kernel is 4.15.0-1021-aws).
I'm using this machine as a gateway to forward ...
- 201
1
vote
2
answers
2k
views
Kubernetes Calico: Networking policy to block connecting to the port 10250 on nodes
I have a Kubernetes cluster with Calico network overlay installed in it. How do I configure a network policy object to prevent pods connecting to the port 10250 (kubelet API) on the nodes? I have ...
- 260
0
votes
1
answer
100
views
Routing issues while setting up OpenVPN chaining
I am trying to setup openvpn chaining in the following configuration.
Laptop --> server1 --> server2 --> Internet
The VPN links individually work between laptop and server1 and server1 and server2. ...
- 125
1
vote
2
answers
1k
views
multiple macvlan devices and policy based routing confusion
I have a server (ubuntu/debian) with two ISP connections. Both of these WAN connections have multiple public IP addresses.
(big pipe)----eth0-->\
> server ---eth2--(...
- 13
0
votes
2
answers
2k
views
Does each custom routing table (w/default gateway) need a link scope route?
My Centos machine has a custom routing table foo_table containing just a default gateway route:
# ip route add default via 10.0.2.1 table foo_table
# ip route show table foo_table
default via 10.0....
- 103
2
votes
1
answer
1k
views
linux IPv6 policy based routing fails
I have a VPN server that act as my IPv6 connection to the Internet. The setup us like this:
I have been assigned a /48 address pool, that I want to subnet to my VPN clients. For argument sake lets ...
- 1,253
-1
votes
1
answer
2k
views
Iptables round-robin through multiple virtual network interfaces
I have a server with two main network interfaces and 5 virtual interfaces like this.
eth0 - 192.168.1.1
eth1 - 192.168.3.1
eth1:2 192.168.3.3
eth1:3 192.168.3.4
eth1:4 192.168.3.5
eth1:5 192.168.3.6
...
- 101
0
votes
0
answers
552
views
Ubuntu 16.10: source based routing: packets are not redirected
I'm trying to configure source based routing on my ubuntu-machine.
As simplest example I'm trying to configure the only one interface on my machine.
All configuration taken from here: https://www....
- 11
1
vote
1
answer
3k
views
Different gateways for different IPs on same interface on Linux
I have the following question:
considering the attached image:
I have a server (RHEL 7) with 3 IP addresses (on the same physical interface):
192.168.10.1 (eth0, server address on network 192.168....
- 160
3
votes
0
answers
786
views
avoid packets being treated as "martians": is this thinking correct?
I have a cable connection with a Linux-based router. The router has two physical interfaces:
enp1s0 (dhcp from cable provider)
enp2s0 (192.168.1.1)
with masquerading on enp1s0. then, I have an ...
- 176
7
votes
1
answer
2k
views
Multi-homed OpenBSD system: Policy based routing vs. mpath default routes
TL;DR Will OpenBSD policy based routing help with a multi-homed server/gateway situation? If so, how do I configure it?
Long Form
I'm managing an OpenBSD with two ISP links and VPN tunnels to ...
- 837
0
votes
2
answers
4k
views
Azure how to connect Route-Based VPN with Policy-Based one
I've got Policy-Based VNET that is connected to Cisco ASA - there is no way to make it Route-Based.
I need all of my app deployment (Azure Web App, Azure Cloud Services) to be connectable only from ...
- 3
-2
votes
1
answer
1k
views
How to redirect specific outgoing packet from one physical interface to another one in Linux?
In the linux bridge br100 of 1 linux host, vnet0 is the interface connecting 1 internal linux VM.
br100 is 1 linux bridge, which has 3 IP addresses:
10.11.13.1/24 is the GW of linux VM (the VM has ...
- 31