Chapter 12. Configuring Policy-based Routing to Define Alternative Routes


By default, the kernel in RHEL decides where to forward network packets based on the destination address using a routing table. Policy-based routing enables you to configure complex routing scenarios. For example, you can route packets based on various criteria, such as the source address, packet metadata, or protocol.
This section describes of how to configure policy-based routing using NetworkManager.

Note

On systems that use NetworkManager, only the nmcli utility supports setting routing rules and assigning routes to specific tables.

12.1. Routing Traffic from a Specific Subnet to a Different Default Gateway

This section describes how to configure RHEL as a router that, by default, routes all traffic to internet provider A using the default route. Using policy-based routing, RHEL routes traffic received from the internal workstations subnet to provider B.
The procedure assumes the following network topology:
Activate a Connection

Figure 12.1. Activate a Connection

Prerequisites

  • The RHEL router you want to set up in the procedure has four network interfaces:
    • The enp7s0 interface is connected to the network of provider A. The gateway IP in the provider’s network is 198.51.100.2, and the network uses a /30 network mask.
    • The enp1s0 interface is connected to the network of provider B. The gateway IP in the provider’s network is 192.0.2.2, and the network uses a /30 network mask.
    • The enp8s0 interface is connected to the 10.0.0.0/24 subnet with internal workstations.
    • The enp9s0 interface is connected to the 203.0.113.0/24 subnet with the company’s servers.
  • Hosts in the internal workstations subnet use 10.0.0.1 as default gateway. In the procedure, you assign this IP address to the enp8s0 network interface of the router.
  • Hosts in the server subnet use 203.0.113.1 as default gateway. In the procedure, you assign this IP address to the enp9s0 network interface of the router.
  • The firewalld service is enabled and active, which is the default.

Procedure

  1. Configure the network interface to provider A:
    # nmcli connection add type ethernet con-name Provider-A ifname enp7s0 ipv4.method manual ipv4.addresses 198.51.100.1/30 ipv4.gateway 198.51.100.2 ipv4.dns 198.51.100.200 connection.zone external
    The nmcli connection add command creates a NetworkManager connection profile. The following list describes the options of the command:
    • type ethernet: Defines that the connection type is Ethernet.
    • con-name connection_name: Sets the name of the profile. Use a meaningful name to avoid confusion.
    • ifname network_device: Sets the network interface.
    • ipv4.method manual: Enables to configure a static IP address.
    • ipv4.addresses IP_address/subnet_mask: Sets the IPv4 addresses and subnet mask.
    • ipv4.gateway IP_address: Sets the default gateway address.
    • ipv4.dns IP_of_DNS_server: Sets the IPv4 address of the DNS server.
    • connection.zone firewalld_zone: Assigns the network interface to the defined firewalld zone. Note that firewalld automatically enables masquerading interfaces assigned to the external zone.
  2. Configure the network interface to provider B:
    # nmcli connection add type ethernet con-name Provider-B ifname enp1s0 ipv4.method manual ipv4.addresses 192.0.2.1/30 ipv4.routes "0.0.0.0/1 192.0.2.2 table=5000, 128.0.0.0/1 192.0.2.2 table=5000" connection.zone external
    This command uses the ipv4.routes parameter instead of ipv4.gateway to set the default gateway. This is required to assign the default gateway for this connection to a different routing table (5000) than the default. NetworkManager automatically creates this new routing table when the connection is activated.

    Note

    The nmcli utility does not support using 0.0.0.0/0 for the default gateway in ipv4.gateway. To work around this problem, the command creates separate routes for both the 0.0.0.0/1 and 128.0.0.0/1 subnets, which covers also the full IPv4 address space.
  3. Configure the network interface to the internal workstations subnet:
    # nmcli connection add type ethernet con-name Internal-Workstations ifname enp8s0 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.routes "10.0.0.0/24 src=192.0.2.1 table=5000" ipv4.routing-rules "priority 5 from 10.0.0.0/24 table 5000" connection.zone trusted
    This command uses the ipv4.routes parameter to add a static route to the routing table with ID 5000. This static route for the 10.0.0.0/24 subnet uses the IP of the local network interface to provider B (192.0.2.1) as next hop.
    Additionally, the command uses the ipv4.routing-rules parameter to add a routing rule with priority 5 that routes traffic from the 10.0.0.0/24 subnet to table 5000. Low values have a high priority.
    Note that the syntax in the ipv4.routing-rules parameter is the same as in an ip route add command, except that ipv4.routing-rules always requires specifying a priority.
  4. Configure the network interface to the server subnet:
    # nmcli connection add type ethernet con-name Servers ifname enp9s0 ipv4.method manual ipv4.addresses 203.0.113.1/24 connection.zone trusted

Verification Steps

  1. On a RHEL host in the internal workstation subnet:
    1. Install the traceroute package:
      # yum install traceroute
    2. Use the traceroute utility to display the route to a host on the internet:
      # traceroute redhat.com
      traceroute to redhat.com (209.132.183.105), 30 hops max, 60 byte packets
       1  10.0.0.1 (10.0.0.1)     0.337 ms  0.260 ms  0.223 ms
       2  192.0.2.1 (192.0.2.1)   0.884 ms  1.066 ms  1.248 ms
       ...
      The output of the command displays that the router sends packets over 192.0.2.1, which is the network of provider B.
  2. On a RHEL host in the server subnet:
    1. Install the traceroute package:
      # yum install traceroute
    2. Use the traceroute utility to display the route to a host on the internet:
      # traceroute redhat.com
      traceroute to redhat.com (209.132.183.105), 30 hops max, 60 byte packets
       1  203.0.113.1 (203.0.113.1)    2.179 ms  2.073 ms  1.944 ms
       2  198.51.100.2 (198.51.100.2)  1.868 ms  1.798 ms  1.549 ms
       ...
      The output of the command displays that the router sends packets over 198.51.100.2, which is the network of provider A.

Troubleshooting Steps

On the RHEL router:
  1. Display the rule list:
    # ip rule list
    0:	from all lookup local
    5: from 10.0.0.0/24 lookup 5000
    32766:	from all lookup main
    32767:	from all lookup default
  2. Display the routes in table 5000:
    # ip route list table 5000
    0.0.0.0/1 via 192.0.2.2 dev enp1s0 proto static metric 100
    10.0.0.0/24 dev enp8s0 proto static scope link src 192.0.2.1 metric 102
    128.0.0.0/1 via 192.0.2.2 dev enp1s0 proto static metric 100
  3. Display which interfaces are assigned to which firewall zones:
    # firewall-cmd --get-active-zones
    external
      interfaces: enp1s0 enp7s0
    trusted
      interfaces: enp8s0 enp9s0
  4. Verify that the external zone has masquerading enabled:
    # firewall-cmd --info-zone=external
    external (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp1s0 enp7s0
      sources:
      services: ssh
      ports:
      protocols:
      masquerade: yes
      ...

Additional Resources

  • For further details about the ipv4.* parameters you can set in the nmcli connection add command, see the IPv4 settings section in the nm-settings(5) man page.
  • For further details about the connection.* parameters you can set in the nmcli connection add command, see the Connection settings section in the nm-settings(5) man page.
  • For further details about managing NetworkManager connections using nmcli, see the Connection management commands section in the nmcli(1) man page.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.