Page MenuHomeVyOS Platform
Create Task
Maniphest T3600

DHCP Interface static route breaks PBR
Closed, ResolvedPublicBUG
Actions

Description

Trying to enforce PBR similar to this. Though I have noticed a command like protocols static table 11 route 0.0.0.0/0 dhcp-interface 'eth2' will not enforce the policies and instead route out of my main route on eth0. My workaround has been set protocols static table 11 route 0.0.0.0/0 interface 'eth2' though I assume if my WAN DHCP renews this connection will break... Is this expected operation?

Relevant config snippets

$ show configuration commands | grep protocol
set protocols static table 10 route 0.0.0.0/0 dhcp-interface 'eth0'
set protocols static table 11 route 0.0.0.0/0 interface eth2
$ show configuration commands | grep policy
set interfaces ethernet eth1 policy route 'HTTP-ALT'
set interfaces ethernet eth1 vif 10 policy route 'HTTP-ALT'
set interfaces ethernet eth1 vif 100 policy route 'HTTP-ALT'
set policy route HTTP-ALT rule 9 destination address '192.168.3.0/24'
set policy route HTTP-ALT rule 9 set table 'main'
set policy route HTTP-ALT rule 10 set table '11'
set policy route HTTP-ALT rule 10 source address '192.168.4.45/32'
$ show configuration commands | grep nat
set nat source rule 9 outbound-interface 'eth2'
set nat source rule 9 source address '192.168.4.45/32'
set nat source rule 9 translation address 'masquerade'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '192.168.4.0/24'
set nat source rule 10 translation address 'masquerade'

My expected outcome is to have 192.168.4.45/32 fully utilize eth2 and not my default WAN interface eth0

With protocols static table 11 route 0.0.0.0/0 dhcp-interface 'eth2' that is not possible

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling-202106051121
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

anthr76 created this task.Jun 5 2021, 11:41 PM
fernando added a subscriber: fernando.Jun 6 2021, 6:49 PM
fernando added a comment.EditedJun 6 2021, 9:50 PM

I have checked that functionality , i can replicate the issues .although there is a workaround if you "set protocols static table 11 route 0.0.0.0/0 dhcp-interface " any interfaces , it doesn't see in your table ( table 10 /11 ) we can see theses routes in the default table , let me show :

vyos-cli : 

set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10'
set policy route PBR rule 20 set table '10'
set policy route PBR rule 20 source address '192.168.189.0/24'
set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11'
set policy route PBR rule 30 set table '11'
set policy route PBR rule 30 source address '192.168.190.0/24'
set protocols static table 10 route 0.0.0.0/0 dhcp-interface 'eth0'
set protocols static table 11 route 0.0.0.0/0 dhcp-interface 'eth1

when we do show ip route :

vyos@vyos-rt-pbr# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [1/0] via 192.168.10.1, eth1, weight 1, 00:00:12
  *                 via 192.168.125.1, eth0, weight 1, 00:00:12

but when we verify the frr config , the routes aren't with his tables :

frr version 7.5.1-20210422-01-gddab69d59
frr defaults traditional
hostname vyos-rt-pbr
log syslog
log facility local7
service integrated-vtysh-config
!
ip route 0.0.0.0/0 192.168.125.1
ip route 0.0.0.0/0 192.168.10.1

although we are using the workaround , we see both routes with their table (10/11):

vyos@vyos-rt-pbr# run show configuration commands | match route

set protocols static table 10 route 0.0.0.0/0 interface eth0
set protocols static table 11 route 0.0.0.0/0 interface eth1

vyos@vyos-rt-pbr# run show ip route table 10
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF default table 10:
S>* 0.0.0.0/0 [1/0] is directly connected, eth0, weight 1, 00:00:57
[edit]



vyos@vyos-rt-pbr# run show ip route table 11
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF default table 11:
S>* 0.0.0.0/0 [1/0] is directly connected, eth1, weight 1, 00:00:54

the difference is when we check frr config :

frr version 7.5.1-20210422-01-gddab69d59
frr defaults traditional
hostname vyos-rt-pbr
log syslog
log facility local7
service integrated-vtysh-config
!
ip route 0.0.0.0/0 eth1 table 11
ip route 0.0.0.0/0 eth0 table 10

if we used the next-hop ip , it also works with the route table (10/11)

fernando added a comment.Jun 6 2021, 9:53 PM

I think it is also related https://phabricator.vyos.net/T3522

pasik added a subscriber: pasik.Jun 7 2021, 7:01 AM
Viacheslav added a parent task: T3505: Commits do not respect changes in FRR that are not stored in a config.Jun 7 2021, 9:17 AM
anthr76 added a comment.Jun 7 2021, 11:55 AM

Hi @fernando

It looks like your assessment is correct. It also seems like next-hop IP would be sufficient as well if I wasn't dealing with dynamic WAN IPs. For the moment I'm sticking with interface instead of dhcp-interface. The related issue you sent seems exactly related to this.

Viacheslav changed the task status from Open to In progress.Feb 7 2022, 11:20 AM
Viacheslav claimed this task.
Viacheslav added a comment.Feb 7 2022, 11:49 AM

PR https://github.com/vyos/vyos-1x/pull/1208

Viacheslav changed the task status from In progress to Needs testing.Feb 17 2022, 7:58 PM
m.korobeinikov added a subscriber: m.korobeinikov.Feb 27 2022, 1:50 AM

I ve tested it:

Version:          VyOS 1.4-rolling-202202260317

CLI:

set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10'
set policy route PBR rule 20 set table '10'
set policy route PBR rule 20 source address '192.168.189.0/24'
set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11'
set policy route PBR rule 30 set table '11'
set policy route PBR rule 30 source address '192.168.190.0/24'
set protocols static table 10 route 0.0.0.0/0 dhcp-interface 'eth0'
set protocols static table 11 route 0.0.0.0/0 dhcp-interface 'eth1

ROUTE:

vyos@vyos:~$ sh ip route
S>* 0.0.0.0/0 [210/0] via 10.10.3.1, eth1, weight 1, 00:02:38
  *                   via 172.168.32.2, eth0, weight 1, 00:02:38
C>* 10.10.3.0/24 is directly connected, eth1, 00:02:48
C>* 172.168.32.0/24 is directly connected, eth0, 00:02:40

FRR

frr version 8.1
frr defaults traditional
hostname vyos
log syslog
log facility local7
service integrated-vtysh-config
!
ip route 0.0.0.0/0 10.10.3.1 eth1 tag 210 210
ip route 0.0.0.0/0 172.168.32.2 eth0 tag 210 210
ip route 0.0.0.0/0 172.168.32.2 eth0 table 10
ip route 0.0.0.0/0 10.10.3.1 eth1 table 11

TAB10

vyos@vyos:~$ sh ip route table 10
VRF default table 10:
S>* 0.0.0.0/0 [1/0] via 172.168.32.2, eth0, weight 1, 00:01:48

TAB11

vyos@vyos:~$ sh ip route table 11
VRF default table 11:
S>* 0.0.0.0/0 [1/0] via 10.10.3.1, eth1, weight 1, 00:01:51

Looks well.

Viacheslav closed this task as Resolved.Jul 4 2022, 11:45 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.