Policy Based Routing (PBR) - Survive Reboot?

[jkujath]

Hello,

I have a UTM-570 which runs SPLAT, NGX R65 HFA40. I am using iproute2 ip rules (I know, not supported). They do work fine, but they do not survive a reboot.
I followed some great instructions from simon's post (How the policy based routing works) about how to use iproute2 ip rules to perform the policy based routing. The only thing that survives a reboot is the /etc/iproute2/rt_tables file. The actual rules are lost after the reboot, however.

I have searched for solutions but outside of possibly modifying the OS startup scripts (maybe /etc/rc.d/rc.local) - which I don't believe is the greatest idea - are there any other options?

Here is what I am actually doing (public IPs have been changed to protect the innocent).

The setup:

Int interface: my internal subnets
Ext interface: my Internet ISP #1
Lan1 interface: my local video proxy server - 2.0.0.1 /27
Lan2 interface: my Internet ISP #2 I want to dedicate for the video proxy server - 1.1.1.2 /27

I have my video proxy server located inside the Lan1 interface routing all of its Internet traffic to ISP #2 via the Lan2 interface.
I use ISP #2 to dedicate all traffic to/from the video proxy server, so I don't believe the ISP redundancy setup will work for me (it's for load sharing, correct?). That is why I'm trying this PBR setup.

In expert mode, I perform the following steps:

echo "100 vidnet_dedicated" >> /etc/iproute2/rt_tables
ip route add default via 1.1.1.1 table vidnet_dedicated
ip rule add from 2.0.0.0/27 table vidnet_dedicated
ip route flush cache

The above steps work. Again, the problem is after a reboot I lose the actual routes and rules.

I think my only other option is to do the PBR on an upstream router, but I figured I would give this a shot first.

Thanks for your help in advance.

-Jeff
--
Barry's Checkpoint CCSA CCSE Certification rocks! :-)

[dsb.nepo]

The setup is not supported as you already told, but the rc.local script is the last script you can use to execute custom commands.

Inside the script it is maybe vise to flush the cache only if all other commands success.

Code:

echo "100 vidnet_dedicated" >> /etc/iproute2/rt_tables
_rc1=`ip route add default via 1.1.1.1 table vidnet_dedicated`
_rc2=`ip rule add from 2.0.0.0/27 table vidnet_dedicated`

if [ $(( $_rc1 + $_rc2 )) -eq 0 ]; then
  ip route flush cache
else
 echo "shi.... happens"
 # optional code to revert ...
fi

[jkujath]

Thank You dsb.nepo. I had hoped that I wouldn't have to maintain a custom startup script. My other alternative was to do a dot1q trunk on my external interface then do PBR on my upstream router.
I think I'll give this a go, though. Thanks for the code example, I wouldn't have known how to check if my commands were successful! :-)

-Jeff

Quote:

Originally Posted by dsb.nepo

The setup is not supported as you already told, but the rc.local script is the last script you can use to execute custom commands.

Inside the script it is maybe vise to flush the cache only if all other commands success.

Code:

echo "100 vidnet_dedicated" >> /etc/iproute2/rt_tables
_rc1=`ip route add default via 1.1.1.1 table vidnet_dedicated`
_rc2=`ip rule add from 2.0.0.0/27 table vidnet_dedicated`

if [ $(( $_rc1 + $_rc2 )) -eq 0 ]; then
  ip route flush cache
else
 echo "shi.... happens"
 # optional code to revert ...
fi

[jkujath]

I received a syntax error (unexpected operand) when I used:

Code:

if [ $(( $_rc1 + $_rc2 )) -eq 0 ]; then

I changed it so that it evaluates correctly now:

Code:

if [[ $_rc1 -eq 0 && $_rc2 -eq 0 ]]; then

Thanks again,
Jeff