Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - USG Advanced: Policy-Based Routing

Overview

This article describes how to configure Policy-Based Routing (PBR) on the UniFi Security Gateway (USG) models.

NOTES & REQUIREMENTS:
  • Applicable to all UniFi Security Gateway models (USG / USG-PRO-4 / USG-XG-8).
  • This article does not apply to the UniFi Dream Machine (UDM) models.
  • This article contains advanced JSON configurations using the CLI and should only be attempted by advanced users. 
  • See the Configuration Using config.gateway.json help center article for more information on JSON configurations.

Table of Contents

  1. Introduction
  2. Routing Traffic Out of WAN2 Based on the Source Network
  3. Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
  4. Routing Traffic Out of a VPN Interface (VTI) Based on the Source
  5. Routing Traffic to Different Load Balancing Groups Based on the Source Network
  6. Prevent Certain Traffic from being Policy Routed
  7. Related Articles

Introduction

Policy-Based Routing (PBR) is a way to force traffic to use a specific address or interface as the next-hop. When using PBR, traffic is matched on a certain criteria, for example a source IP address, and forwarded to a next-hop. On the USG models, Policy-Based Routing can be used to send specific traffic to the WAN1/WAN2 interfaces or over a Route-Based VPN tunnel interface (VTI).

The Policy-Based Routing feature consists of three separate entities:

  • Firewall Rule Match traffic using a PBR firewall rule and modify it to use a certain routing table.
  • Routing Table Use a specific routing table to forward the traffic and specify the next-hop address or interface.
  • Applied Interface Apply the firewall policy that contains the PBR rule to a certain interface in the Ingress/In direction.  
ATTENTION: Avoid using routing table 1 as it could interfere with the default routing on the USG. Use table 2 or higher.

The sections below contain examples of PBR that either uses a custom firewall policy, or modifies the LOAD_BALANCE firewall policy that is used in Load Balancing setups. Regardless of the setup, it is necessary to add the configuration to the config.gateway.json file, otherwise it will not persist through reboots or re-provisions.

Routing Traffic Out of WAN2 Based on the Source Network

The following example demonstrates how to route all traffic sourced from hosts in the LAN1 network (192.168.1.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group.

NOTE: The LOAD_BALANCE firewall policy is one used by Load Balancing. Policy-Based Routing can be used with either weighted or failover-only Load Balancing. When using PPPoE interfaces, create an interface-route instead with the next-hop set to the interface. For example: set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface pppoe0.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 5
set firewall modify LOAD_BALANCE rule 2500 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 2500 protocol all
commit ; exit

Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol

The following example demonstrates how to route HTTP/HTTPS traffic (TCP port 80/443) sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a network group.

NOTE: The LOAD_BALANCE firewall policy is one used by Load Balancing. Policy-Based Routing can be used with either weighted or failover-only Load Balancing. When using PPPoE interfaces, create an interface-route instead with the next-hop set to the interface. For example: set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface pppoe0.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2501 action modify
set firewall modify LOAD_BALANCE rule 2501 modify table 5
set firewall modify LOAD_BALANCE rule 2501 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2501 destination port 80,443
set firewall modify LOAD_BALANCE rule 2501 protocol tcp
commit ; exit

Routing Traffic Out of a VPN Interface (VTI) Based on the Source

The following example demonstrates how to route all traffic sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the vti64 interface when using a Route-Based VPN (Dynamic Routing). In this case, next-hop can be specified as an interface as it is a point-to-point tunnel interface. The USG is not using Load Balancing in this example so a custom firewall policy is created and applied to the interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a network group.

NOTE: The VTI number can differ depending on your setup, and can be displayed with the show interfaces command.
configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit

The source-validation is set to disabled (default enabled) as the USG is only using a single WAN interface. When using Load Balancing, the USG will automatically disable this setting. The Source Validation feature will interfere with PBR if is not disabled.

Routing Traffic to Different Load Balancing Groups Based on the Source Network

The following example demonstrates how to modify traffic to utilize multiple Load Balancing groups. When using the default failover-only Load Balancing setup, WAN1 will be the primary (active) interface and WAN2 will be the failover interface. As in the above example, modifying the LOAD_BALANCE firewall policy can be used route traffic to a specific WAN interface. Alternatively, it can also modify certain traffic (sourced from hosts in the 192.168.1.0/24 LAN network) to use a different Load Balancing group. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group. When using the USG-PRO-4 for example:

Default Load Balancing Group

  • WAN1 (eth2) Active 
  • WAN2 (eth3) Failover

Secondary Load Balancing Group

  • WAN1 (eth2) Failover 
  • WAN2 (eth3) Active
configure
set load-balance group wan2_failover interface eth2 failover-only
set load-balance group wan2_failover interface eth3
set firewall modify LOAD_BALANCE rule 2503 action modify
set firewall modify LOAD_BALANCE rule 2503 modify lb-group wan2_failover
set firewall modify LOAD_BALANCE rule 2503 source address 192.168.1.0/24
commit ; exit

Prevent Certain Traffic from being Policy Routed

When utilizing the above example, all traffic that is matched by the rule will be routed using PBR without exception:

set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all

This will also apply to local traffic that is routed between (V)LANs, for example from VLAN2 to the Corporate LAN. To prevent this, an exclusion can be added for certain destinations. You either match on another destination network, or use one of the network groups:

configure
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
commit ; exit

The end result is that all traffic from the 192.168.2.0/24 network will be sent to the VTI interface, with the exception of traffic from this VLAN to the Corporate LAN. The complete configuration is added below, note that the exception rule will be matched before the modify rule:

configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit

Related Articles

UniFi - USG Advanced Configuration Using config.gateway.json

Was this article helpful?
42 out of 86 found this helpful

Submit an RMA request

Visit the Ubiquiti RMA portal to submit a warranty claim for your Ubiquiti device.

Visit the RMA portal >

Plan your UniFi Deployment

Use the Design Center to design your UniFi Network using the most suitable products.

Try the UniFi Design Center >

Talk to other Ubiquiti users

Visit our worldwide community of Ubiquiti experts for more answers and solutions.

Ask the Ubiquiti Community >