Policy Based Routing using Unifi USG3

I did mention before that I’m using dual ISP configuration, with one of them being fast (Virgin, 350/35) and the other is reliable (Andrews & Arnold, 80/20, 24x7, and generally much lower latency all around). I found that sometimes I want some device just to use a specific ISP, and not the other. For example, I want my MacBook to use the reliable (and low-latency) connection for work.

USG3, being a limited device it is, provides only very basic dual-WAN configuration: it’s either failover, or load-balancing. There’s no way to tell it to use one WAN for some traffic, and the other for the rest. However, it is still possible to configure this using the command line. Specifically:

configure

# Here we create a new routing table, and add a default route to it, which always 
# points to the secondary WAN interface - pppoe1 in my case.
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pppoe1

# Just a handy description
set firewall modify SOURCE_ROUTE2 rule 10 description "This IP to WAN2"

# This is the actual rule, which matches the source IP address.
set firewall modify SOURCE_ROUTE2 rule 10 source address 192.168.xx.xxx

# Adds the rule to routing table 1
set firewall modify SOURCE_ROUTE2 rule 10 modify table 1

# Adds the rule to the WAN interface
set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE2

# Commits the changes
commit; save; exit

This is it. Now, the device with the IP address 192.168.xx.xxx will always use the secondary WAN interface.

One last thing to do is to persist these changes - by default, everything you do using configure command will get deleted upon the next re-provisioning (or reboot) of the USG. Luckily, there are lots of guides on how to do this, and this guide even provides a script to make this easier. Have fun, and happy hacking!