Persistance of ip rule

[bluewalk]

First of all, nice job with on-boot-script. Made my UDM Pro work the same as my USG4 did with redirecting DNS+NTP and nordvpn rerouting.

Speaking of the latter, I have an iptables chain setup to mark outgoing traffic to non internal ip's which then is used with PBR through my nordvpn gateway (ip rule add fwmark 100 table nordvpn) this works perfectly. But today it suddenly stopped working, after checking the iptables are still there, the routes on the table are still there but the rule was gone.

After searching I found:

You can also add the ip rule yourself only for 10.0.0.1 like I mentioned above, but the system removes even the custom ip rules every once in a while, so you need a script that watches the ip rules and re-adds your custom rules every time the Unifi system deletes it.

How would one continue to make ip rule "persistent"? on-boot-script does not execute after every change I think?

Cheers

[bluewalk]

Looks like issue #88 is on the right track, has there been progress including this in udm-utilities?

[SamErde]

I'm pretty new to Linux networking configuration, and very intrigued by this setup! Do you have (or know of) a guide for configuring PBR for specific IPs, VLANs, or ports+protocols?

[peacey]

SturdyErde, I don't have a guide, but I do have a fully functional PBR VPN script for UDM/P here that uses the built-in openvpn. It supports forcing by IP, VLAN, ports, etc. You can look at how the script is made if you want to learn how it's done.

Basically it's really simple: (1) Mark your packets from specific sources with a fwmark with iptables, (2) Add an ip rule to route this fwmark to a custom routing table, and (3) Add the VPN routes to the custom routing table.

bluewalk, the OS removes custom ip rules when the lease/IP changes. You can just run a script to watch the ip rule and re-add it, as was done in the PR you linked. In my PBR script, I just poll every second to re-add the rule if it's missing, and there isn't any additional CPU usage, so polling isn't an issue.

[bluewalk]

@SturdyErde I'm basically doing the same as @peacey described above. I create a chain to exclude all private ips and mark the ones going out to 0.0.0.0/0. With an ip rule i route traffic with that mark to my wireguard vm that runs the connection to nordvpn. His script has all the info you need to set it up easily 👍

@peacey Ah so that's the reason why it happens, a lease renew from my provider. I had a look at you repo and I'm definitely gonna borrow some stuff from your updown.sh script :)

[SamErde]

There's a lot there that I will need to assimilate through my learning engine, but definitely looks like it's worth the time! Thanks for sharing your script.