Overview
This article describes how to configure Policy-Based Routing (PBR) on the UniFi Security Gateway (USG) models.
- Applicable to all UniFi Security Gateway models (USG / USG-PRO-4 / USG-XG-8).
- This article does not apply to the UniFi Dream Machine (UDM) models.
- This article contains advanced JSON configurations using the CLI and should only be attempted by advanced users.
- See the Configuration Using config.gateway.json help center article for more information on JSON configurations.
Table of Contents
- Introduction
- Routing Traffic Out of WAN2 Based on the Source Network
- Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
- Routing Traffic Out of a VPN Interface (VTI) Based on the Source
- Routing Traffic to Different Load Balancing Groups Based on the Source Network
- Prevent Certain Traffic from being Policy Routed
- Related Articles
Introduction
Policy-Based Routing (PBR) is a way to force traffic to use a specific address or interface as the next-hop. When using PBR, traffic is matched on a certain criteria, for example a source IP address, and forwarded to a next-hop. On the USG models, Policy-Based Routing can be used to send specific traffic to the WAN1/WAN2 interfaces or over a Route-Based VPN tunnel interface (VTI).
The Policy-Based Routing feature consists of three separate entities:
Firewall Rule
Match traffic using a PBR firewall rule and modify it to use a certain routing table.Routing Table
Use a specific routing table to forward the traffic and specify the next-hop address or interface.Applied Interface
Apply the firewall policy that contains the PBR rule to a certain interface in the Ingress/In direction.
The sections below contain examples of PBR that either uses a custom firewall policy, or modifies the LOAD_BALANCE firewall policy that is used in Load Balancing setups. Regardless of the setup, it is necessary to add the configuration to the config.gateway.json file, otherwise it will not persist through reboots or re-provisions.
Routing Traffic Out of WAN2 Based on the Source Network
The following example demonstrates how to route all traffic sourced from hosts in the LAN1 network (192.168.1.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 5
set firewall modify LOAD_BALANCE rule 2500 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 2500 protocol all
commit ; exit
Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
The following example demonstrates how to route HTTP/HTTPS traffic (TCP port 80/443) sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a network group.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2501 action modify
set firewall modify LOAD_BALANCE rule 2501 modify table 5
set firewall modify LOAD_BALANCE rule 2501 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2501 destination port 80,443
set firewall modify LOAD_BALANCE rule 2501 protocol tcp
commit ; exit
Routing Traffic Out of a VPN Interface (VTI) Based on the Source
The following example demonstrates how to route all traffic sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the vti64 interface when using a Route-Based VPN (Dynamic Routing). In this case, next-hop can be specified as an interface as it is a point-to-point tunnel interface. The USG is not using Load Balancing in this example so a custom firewall policy is created and applied to the interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a network group.
configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit
The source-validation is set to disabled (default enabled) as the USG is only using a single WAN interface. When using Load Balancing, the USG will automatically disable this setting. The Source Validation feature will interfere with PBR if is not disabled.
Routing Traffic to Different Load Balancing Groups Based on the Source Network
The following example demonstrates how to modify traffic to utilize multiple Load Balancing groups. When using the default failover-only Load Balancing setup, WAN1 will be the primary (active) interface and WAN2 will be the failover interface. As in the above example, modifying the LOAD_BALANCE firewall policy can be used route traffic to a specific WAN interface. Alternatively, it can also modify certain traffic (sourced from hosts in the 192.168.1.0/24 LAN network) to use a different Load Balancing group. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group. When using the USG-PRO-4 for example:
Default Load Balancing Group
WAN1 (eth2)
ActiveWAN2 (eth3)
Failover
Secondary Load Balancing Group
WAN1 (eth2)
FailoverWAN2 (eth3)
Active
configure
set load-balance group wan2_failover interface eth2 failover-only
set load-balance group wan2_failover interface eth3
set firewall modify LOAD_BALANCE rule 2503 action modify
set firewall modify LOAD_BALANCE rule 2503 modify lb-group wan2_failover
set firewall modify LOAD_BALANCE rule 2503 source address 192.168.1.0/24
commit ; exit
Prevent Certain Traffic from being Policy Routed
When utilizing the above example, all traffic that is matched by the rule will be routed using PBR without exception:
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
This will also apply to local traffic that is routed between (V)LANs, for example from VLAN2 to the Corporate LAN. To prevent this, an exclusion can be added for certain destinations. You either match on another destination network, or use one of the network groups:
configure
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
commit ; exit
The end result is that all traffic from the 192.168.2.0/24 network will be sent to the VTI interface, with the exception of traffic from this VLAN to the Corporate LAN. The complete configuration is added below, note that the exception rule will be matched before the modify rule:
configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit
Related Articles
UniFi - USG Advanced Configuration Using config.gateway.json