Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
E: enquiries@precedence.co.uk
Firewalling-PBR

Wiki Home

Tools

Jump To: Support > KB > NetManager > Firewalling > PBR

Policy-Based Routing

For most purposes, standard static routes or even just the default gateway will do what you need. For advanced use, you may wish to alter the network interface and gateway address used for a specific type of traffic. For example:

  • You have multiple devices connected between internal networks and some traffic should not be sent to the directly-connected network
  • You wish to divert all web-traffic via another device

To do this, you will need to use Policy-Based Routing (PBR) which is a feature of the NetManager firewall. At the time of writing, there is no webadmin interface for PBR. PBR is configured by putting rules in /etc/netmanager/ipf.pbr.

Worked example

NetManager is directly connected to two LANs with interfaces wm0 and vlan2. An alternative device which does transparent web-filtering is also directly connected to the same LANs. Clients use either NetManager or the filter as their default gateway depending on what filtering they need.

Network plan:
  10.3.0.1 <-wm0-> NetManager <-vlan2-> 192.168.102.1
10.3.0.254 <-----> web-filter <-------> 192.168.102.254

A client on the 192.168.102.x range can connect to things on 10.3.0.x range in general. However, it cannot connect to NetManager using 10.3.0.1 as the packet is coming in on the wrong interface and the routing table sends it back on the direct interface (i.e. traffic from 192.168.102.10 reaches 10.3.0.1 via 10.3.0.254, but NetManager box replies from 192.168.102.1 as it is directly connected).

In this case, traffic from 10.3.0.1 needs to go back to 192.168.102.x via 10.3.0.254 (i.e. the reverse of the route it took on the way to 10.3.0.1). The relevant rule is:
pass out quick on vlan2 to wm0:10.3.0.254 from 10.3.0.1 to 192.168.102.0/24
To break this down:
pass out quick on vlan2             packets that would be sent by vlan2
to wm0:10.3.0.254                   instead redirect to wm0 with next hop 10.3.0.254
from 10.3.0.1                       if source is NetManager
to 192.168.102.0/24                 and destination is on the other net
Depending on how locked down the firewall is, you may also need to add a rule to allow the traffic in on an unexpected interface in the first place:
pass in quick on wm0 from 192.168.102.0/24 to 10.3.0.1
© Copyright Precedence Technologies 1999-2024
Page last modified on October 08, 2024, at 04:30 PM by sborrill