Policy Based Routing

From DD-WRT Wiki

Jump to: navigation, search

Contents

[edit] Introduction

Traditional routing functions by sending packets out interfaces depending on where the destination address is by keeping a routing table of which networks are connected to which interfaces. Policy Based Routing is an advanced concept that sends packets based on other criteria such as the source address or TCP port. It does this by creating multiple routing tables and rules that specify which routing table to use when certain criteria are met. Source based policy routing is fairly easy to configure and doesn't require much thought but other forms of policy routing require much more thought to ensure that it functions.

[edit] Routing Commands

[edit] Source Based Routing

Source based routing only requires a few commands:

ip rule add from [source IP]/[netmask] table 200
ip route add default via [gateway] dev [interface] table 200
ip route flush cache

The [source IP] should be whatever the IP of the machine is that you want to be routed differently, optionally with a [netmask] to specify a block of source addresses to route differently. The [gateway] should be the IP of the next router to send traffic to such as your VPN server or the gateway IP of your ISP. The [interface] should be whichever interface the traffic needs to be sent out to reach the alternative gateway such as tun0 for a VPN.

Example:

ip rule add from 192.168.1.128/28 table 200
ip route add default via 10.0.0.1 dev ppp0 table 200
ip route flush cache

You can show the table content with (might not work on crippled ip route)

ip route list table table 200
ip rule show

[edit] Integrating the Commands

[edit] With OpenVPN

Your routing commands need to go in the route-up script. See the OpenVPN guide for examples of how to configure route-up scripts.

[edit] With PPTP

Your routing commands need to go in the /tmp/pptpd_client/ip-up script, or maybe .ipup as per Script Execution (needs testing).

[edit] With A Physical Interface

Your routing commands can go in the firewall script on the Administration->Commands page.

[edit] References

http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE