Call for Contributions

This section needs improvements, examples and explanations.

Please take a look at the Contributing Guide for our Documentation.

Policy

Routing Policies could be used to tell the router (self or neighbors) what routes and their attributes needs to be put into the routing table.

There could be a wide range of routing policies. Some examples are below:

  • Set some metric to routes learned from a particular neighbor

  • Set some attributes (like AS PATH or Community value) to advertised routes to neighbors

  • Prefer a specific routing protocol routes over another routing protocol running on the same router

Example

Policy definition:

# Create policy
set policy route-map setmet rule 2 action 'permit'
set policy route-map setmet rule 2 set as-path-prepend '2 2 2'

# Apply policy to BGP
set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet'
set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound'

Using ‘soft-reconfiguration’ we get the policy update without bouncing the neighbor.

Routes learned before routing policy applied:

vyos@vos1:~$ show ip bgp
BGP table version is 0, local router ID is 192.168.56.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 198.51.100.3/32   203.0.113.2           1             0 2 i  < Path

Total number of prefixes 1

Routes learned after routing policy applied:

vyos@vos1:~$ sho ip b
BGP table version is 0, local router ID is 192.168.56.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 198.51.100.3/32   203.0.113.2           1             0 2 2 2 2 i

Total number of prefixes 1
vyos@vos1:~$

You now see the longer AS path.

PBR

PBR allowing traffic to be assigned to different routing tables. Traffic can be matched using standard 5-tuple matching (source address, destination address, protocol, source port, destination port).

Transparent Proxy

The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:

set policy route FILTER-WEB rule 1000 destination port 80
set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100

This creates a route policy called FILTER-WEB with one rule to set the routing table for matching traffic (TCP port 80) to table ID 100 instead of the default routing table.

To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:

set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2

This can be confirmed using the show ip route table 100 operational command.

Finally, to apply the policy route to ingress traffic on our LAN interface, we use:

set interfaces ethernet eth1 policy route FILTER-WEB

Local route

The following example allows VyOS to use PBR for traffic, which originated from the router itself. That solution for multiple ISP’s and VyOS router will respond from the same interface that the packet was received. Also, it used, if we want that one VPN tunnel to be through one provider, and the second through another.

  • 203.0.113.0.254 IP addreess on VyOS eth1 from ISP1

  • 192.168.2.254 IP addreess on VyOS eth2 from ISP2

  • table 10 Routing table used for ISP1

  • table 11 Routing table used for ISP2

set policy local-route rule 101 set table '10'
set policy local-route rule 101 source '203.0.113.0.254'
set policy local-route rule 102 set table '11'
set policy local-route rule 102 source '192.0.2.254'
set protocols static table 10 route '0.0.0.0/0' next-hop '203.0.113.0.1'
set protocols static table 11 route '0.0.0.0/0' next-hop '192.0.2.2'

Add multiple source IP in one rule with same priority

set policy local-route rule 101 set table '10'
set policy local-route rule 101 source '203.0.113.0.254'
set policy local-route rule 101 source '203.0.113.0.253'
set policy local-route rule 101 source '198.51.100.0/24'