A few days ago, I was adjusting the network architecture in my lab to allow everything to go out through VPN and access my intranet. This led me to research Policy Based Routing (PBR).

I initially used VRF (Layer 3 switching) to isolate my network, but this prevented me from running my services on the VRF interface. This meant that I couldn’t set up DoH on the router.

Later, I discovered that I could use other methods to achieve PBR without using VRF.

What is PBR?

PBR stands for Policy Based Routing, which is a technique that allows control over routing or packet direction by modifying the next hop IP address.

How to achieve PBR in Linux?

There are many ways to achieve PBR in Linux, such as using a Routing Daemon or using the ip link and ip rule commands.

# For example, if I want to put the route in a table
ip rule add from lookup TW

# And let its network go out through the VPN interface
ip route add via dev VPN-JP table TW

But in this case, I would have to run a script every time I boot up.

But I didn’t want to set up PBR through a script.

So I checked if the FRRouting suite had any PBR-related functionality, and it actually did!

After carefully reading the official documentation, we can start implementing it.

If you haven’t installed FRRouting yet, you can refer to this article to install it.

Setting up PBR

Our current requirement is:

# VPN tunnel
IP Address:

# Intranet

# Used for machines and physical computers within the server

# Requirement
Default route sent to VPN endpoint, and SNAT is set up.

So we can enter these commands to add rules:

  • interface <interface_name>

    • PBR Policy
  • nexthop-group <custom_name>

    • nexthop <next hop, theoretically the VPN endpoint>
  • pbr-map <custom_name> seq

    • match
    • set nexthop-group
    • # If matched, then bind to the rule we just created
interface ens19
 pbr-policy VPN
interface tun1
 pbr-policy VPN
nexthop-group JP
nexthop-group STUIN
pbr-map VPN seq 5
 match dst-ip
 set nexthop-group STUIN
pbr-map VPN seq 10
 match src-ip
 set nexthop-group JP

Finally, we can enter the command show pbr nexthop-groups to view the current rules!