How to set default route for custom routing table

Hi,

I would like packets from a specific (LAN) source address to be routed with a different default route.

I thought this would be easy:

  1. Define a new routing table in /etc/iproute2/rt_tables
  2. Add a new rule that enables this table for a specific IP:
# (/etc/config/network)
config rule 'through_vpn'
	option src '192.168.1.243'
	option lookup 'through_vpn'
  1. Populate the routing table:
# (/etc/config/network)
config route
	option interface '<vpn_dev>'
	option gateway '192.168.12.1'
	option table 'through_vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

However, while the rule is applied, the routing table remains empty:

root@awr /e/config# ip rule show
0:	from all lookup local 
1:	from all lookup through_vpn 
32766:	from all lookup main 
32767:	from all lookup defaul

root@awr /e/config# ip route show table through_vpn
root@awr /e/config# 

What am I doing wrong?

  • You didn't set a priority number for the rule; but this is OK since you only have one
  • If it's a numerically-named table, you don't need to define it
  • I don't see where you add routes to this table...did you name the table "through_vpn"???
  • Try a different table name...i.e. without an underscore

Should be CIDR, so 192.168.1.243/32
Also: ip -4 ro list table all

3 Likes

If it's a numerically-named table, you don't need to define it

Yeah, but I prefer the non-numerical names :-).

I don't see where you add routes to this table.

This is what I thought the "config route" entry in /etc/config/network to do. Am I mistaken?

Try a different table name...i.e. without an underscore

Did not help :-(.

Should be CIDR, so 192.168.1.243/32

Did not help either :-(.

Current configuration is:

root@awr /e/config# tail /etc/config/network
config rule 'throughvpn'
	option src '192.168.1.243/32'
	option lookup 'custom1'

config route
	option interface 'rath'
	option gateway '192.168.12.1'
	option table 'custom1'
	option target '10.2.3.4/24'

root@awr /e/config# tail /etc/iproute2/rt_tables 
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep

5       custom1
root@awr /e/config# ip rule show
0:	from all lookup local 
1:	from 192.168.1.243 lookup custom1 
32766:	from all lookup main 
32767:	from all lookup default 
root@awr /e/config# ip route show table custom1
root@awr /e/config# ip -4 ro list table all
default via 100.64.0.1 dev eth0.2  src 100.92.0.228 
34.120.255.244 dev eth0.2 scope link  src 100.92.0.228 
100.64.0.0/10 dev eth0.2 scope link  src 100.92.0.228 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.100.1 dev eth0.2 scope link  src 100.92.0.228 
broadcast 100.64.0.0 dev eth0.2 table local scope link  src 100.92.0.228 
local 100.92.0.228 dev eth0.2 table local scope host  src 100.92.0.228 
broadcast 100.127.255.255 dev eth0.2 table local scope link  src 100.92.0.228 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 

What I would have expected:

root@awr /e/config# ip route show table custom1
10.2.3.4/24 via 192.168.12.1 dev <something> ....

This will fix your ip rule, because it shouldn't look like that:

It should look like this:

1: from 192.168.1.243 lookup through_vpn

As a workaround, you could try to manually populate the custom routing table using a hotplug script. Put it in the /etc/hotplug.d/net folder.

[ "$ACTION" == "add" ] && [ "$INTERFACE" == "something" ]
ip route add 10.2.3.4/24 via 192.168.12.1 dev <something> table through_vpn
root@magiatiko:[~]#tail /etc/iproute2/rt_tables
#
# local
#
#1	inr.ruhep
204 elvetias
203 roadwarrior
201 wan
202 proton
203 wwan
220 test
root@magiatiko:[~]#uci show network.test
network.test=interface
network.test.device='eth0'
network.test.proto='static'
network.test.netmask='255.255.255.0'
network.test.ipaddr='192.168.100.1'
uci add network route
uci set network.@route[-1].table='220'
uci set network.@route[-1].netmask='255.255.255.252'
uci set network.@route[-1].target='100.64.64.0'
uci set network.@route[-1].gateway='192.168.100.2'
uci set network.@route[-1].interface='test'
uci add network rule
uci set network.@rule[-1].in='guest'
uci set network.@rule[-1].src='192.168.1.234/32'
uci set network.@rule[-1].lookup='220'
uci commit network
/etc/init.d/network restart

root@magiatiko:[~]#ip -4 ru
0:	from all lookup local
1:	from 192.168.1.234 iif eth0.2 lookup test
29998:	from all fwmark 0x30000/0xff0000 lookup wwan
29999:	from all fwmark 0x20000/0xff0000 lookup proton
30000:	from all fwmark 0x10000/0xff0000 lookup wan
32766:	from all lookup main
32767:	from all lookup default
root@magiatiko:[~]#ip -4 ro list table test
100.64.64.0/30 via 192.168.100.2 dev eth0 proto static 

Worked fine for me.

Also this is not a valid network, most likely this is the reason it doesn't show up.

1 Like

option target '10.2.3.4/24'
Also this is not a valid network, most likely this is the reason it doesn't show up.

Same problem with a different network though:

root@awr /e/config# tail /etc/config/network
config rule 'throughvpn'
	option src '192.168.1.243/32'
	option lookup 'custom1'

config route
	option interface 'rath'
	option gateway '192.168.12.1'
	option table 'custom1'
	option target '192.168.33.0/24'

root@awr /e/config# /etc/init.d/network restart
root@awr /e/config# ip route show table custom1
root@awr /e/config#

Is there any way to better debug what OpenWRT is doing? For example, can I get it to print the ip commands that it tries to execute?

option target '192.168.33.0'
option netmask '255.255.255.0'
Try it like this.

1 Like

This brought me on the right track, thank you!

It turns out that when I change the proto of the device from manual none (which I had) to static, the route is created correctly.

Is that intentional?

(The device that I want to use is a TAP device brought up by tinc, so I have it set to manual in the UCI config)

I am not aware of proto manual.

If you don't want to manage the interface, there is protocol unmanaged in luci or none in uci.

Apologies, this was a typo. I changed it from none to static to make it work.

Is that intended behavior?

Makes sense, yes.