Test driving Policy Based Routing on Linux

Policy Based Routing allows the network admin to apply different forwarding  rules to a packets based on some of its attributes. For example source address, QoS or firewall marks can be used as a packet classification policy.

Policy routing can help in meeting the requirements of differentiated services like QoS, security Policy etc where the traffic from customer paying for a better or more secure service is allowed to use a different network route that the regular traffic.

On Linux Policy Based Routing can be enabled in the following manner

  • The first step is to classify the traffic into different categories based of conditions like source address, destination address, QoS or firewall mark etc.
  • Then use different routing tables to forward traffic from different categories that was created in the first step


In this post we will setup a Linux based router with policy routing. For the purpose of our experiment, we will implement Policy based routing using source address as the classifier. The following topology describes the setup for our test



  • We have 4 networks connecting host1, host2 and server to the router
Network Address Gateway (Router) Host Address
Net1 (router-eth1) (host1-eth0)
Net2 (router-eth2) (host2-eth0)
Net3 (router-eth3) (server-eth0)
Net4 (router-eth4) (server-eth1)
  • The server holds the IP, which is the destination the hosts are trying to reach.
  • The router has two paths to forward the packets arriving from host1 and host2 to destination, either using the or network.
  • To begin with the server and the router is configured with static routes to use only one link (router-eth3 <-> server-eth0 i.e. network) to forward traffic between router and server


The topology is implemented using mininet network simulator. The code for the topology is available here.

Start the simulated topology using the following command(using the policy_routing_disabled.py file from the repository).

sudo python policy_routing_disabled.py

We will start with a topology with disabled policy routing and learn the steps need to enable policy routing. (if you want a ready made mininet topology with policy routing look at policy_routing_enabled.py file that implements this)

The mininet configuration implements the hosts, server nodes as network namespaces, and the router is implemented by using the Linux host itself.

Once the topology is ready try to ping the IP located on the server from the hosts.

Note: In the mininet CLI, a command can be started on a node by providing the node name followed by the command like in the form “<node_name> <command> <argument1> <argument2> …”

mininet> host1 ping
mininet> host2 ping

Without the policy routing in place the packets are forwarded using one of the path( network, net3). You can verify this by running the following command on the router (as the Linux host is acting as the router the following command can be started on another terminal).

$ watch "egrep router-eth.* /proc/net/dev"


Note the interface statistics of router-eth4 does not change when ping packets are transmitted either from host1 or host2 to server.

Lets remove the static route setting on the router and modify the one on server as shown below

mininet> router route del -net dev router-eth3
mininet> server ip route del via
mininet> server ip route add via

We can now proceed to enable policy routing.

Enabling policy routing

Lets now start configuring the policy routing

  1. Classify the traffic arriving on the router based on source network to use different routing table. The following commands add classification policy on the router, which in this case is the source network.
mininet> router ip rule add from lookup net1_table
mininet> router ip rule add from lookup net2_table
  1. Add the routing tables
mininet> router echo "101 net1_table">> /etc/iproute2/rt_tables
mininet> router echo "102 net2_table">> /etc/iproute2/rt_tables
  1. Add routes to the individual table. The following routes add different path to reach destination network
mininet> router ip route add via table net1_table
mininet> router ip route add via table net2_table

With the above settings in place, the routing rules from net1_table are applied to packets arriving from network (net1) and  rules from net2_table are applied to packets arriving from network (net2).

Verifying the result

Use the following command on the mininet prompt to start a xterm connected to router.

mininet> xterm router

Use the xterm to start a watch command on all interfaces of the router

(router xterm) $ watch "egrep router-eth.* /proc/net/dev"

Now start a ping from host1 to and check the output to verify that the packets are forwarded using eth3 interface on the router

mininet> host1 ping

The same steps can be used to verify that if the ping is started from host2 to eth4 interface on the router

Here are the example output.

Initial stats:


Send 10 Ping packets from Host1:


Send 10 Ping packets from Host2:


The results show that the traffic from host1 which arrives on the router interface router-eth1 is forwarded using network through router interface router-eth3 and traffic from host2 which arrives on the router interface router-eth2 is forwarded using network through router interface router-eth4

The following figure shows the change in traffic flow due to policy based routing configuration


The final settings with policy routing enabled is also available as a mininet configuration as policy_routing_enabled.py in the repository.


In this experiment we started with a setup where the router had two paths to the destination server but was using only one to forward traffic. With the help of policy routing we were able to utilize both the path to communicate with the server.

The traffic was distributed based on the source address. i.e. packets coming from net1( is forwarded over net3( while that from net2( is forwarded over net4(


Published by

Chandan Dutta Chowdhury

Software Engineer

One thought on “Test driving Policy Based Routing on Linux”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s