Can I do policy routing on a virtual interface?



I know it is possible to give multiple IP addresses to the same interface, say eth0. It is also possible to build several virtual interfaces on the same physical NIC, say eth0:1, eth0:2,....

Suppose now they all belong to the same subnet. Can I do policy routing with them? For instance, having several routers in the same subnet, can I assign different gateways to

  1. different virtual interfaces?
  2. different IP addresses on the same NIC?

I have tried and failed, so far. I am wondering now whether this is a problem in my configurations, or a problem in line of principle, i.e., it just cannot be done.


In the end, I managed to get it working, and I would like to share this howto for the casual peruser in need. I am using a Debian-family distribution. When I find the time, I will post the equivalent for systemd distros, Fedora, Arch Linux,...

I do not wish to use IP aliasing because it is an obsolete technology which is kept only for backward compatibility, see this page. So I let eth0 be routed through, but then I wish to create a new virtual interface to be routed through I do it like this: I do not change /etc/network/interfaces, where nothing is configured by me. I have added the line

  200 lab

to /etc/iproute2/rt_tables. Then I issue the commands:

  ip link add link eth0 mac0 address 56:61:4f:7c:77:db type macvlan

this creates the virtual interface mac0 with MAC address 56:61:4f:7c:77:db which I use for address reservation in the router;

  ip link set mac0 up

this brings it up

  dhclient mac0

and this gives it an IP address (always the same, thanks to address reservation);

  IP=$(ifconfig | grep -A 1 mac0 | grep inet | awk '{print $2}' | awk -F ":" '{print $2}')

this stores the IP number of the virtual interface mac0 in the shell variable IP;

  ip route del default via dev eth0 
  ip route add default via dev eth0 
  ip route add dev eth0
  ip route add default via dev mac0 table lab
  ip route add dev mac0 table lab
  ip route del dev mac0 table main

This configures the routing table, to use as a default gateway for eth0, and as gateway for mac0 in the routing table lab;

        ip rule add from $IP table lab

this rule specifies under which conditions to use the routing table lab. all of the above commands are inserted into an executable shell script, and the command to run it is placed in /etc/rc.local, so that the system comes up at boot already correctly configured.

Last things to do, some port forwarding, and address reservation. Done.

Thanks for your help.

P.S: in case anyone's wondering .... I need this because I have two routers at home, and; the first one is a normal router, the other one is a DD-WRT router acting as an OpenVPN client to my lab's OpenVPN server. All traffic to gets redirected to my lab, for obvious work-related reasons, while the rest of the family uses, which performs DHCP service. My work PC uses as a gateway. When I am on the road, I sometimes need to access work-related business on my pc, which does have a SSH server running, but it passes through So, if I try to ssh into my work pc from away from home, requests come through, but replies go through, and the ssh session is never established. The contraption above solves this conundrum.


Posted 2014-01-16T06:53:27.223

Reputation: 41 321



  1. Yes you can.
  2. Yes you can, if you are talking about an IP on eth0, eth0:1 eth0:2, and so forth. I've never seen multiple IP addresses on a single NIC (that's what the :1 :2 are there for)..

All of this can be accomplished with the ip command.

The reason you are having issues routing is because you only have a single routing table, and since the interfaces are in a single subnet, the default GW for that subnet will end up being applied. If however, you create multiple routing tables, you can direct traffic in and out of them based on the interface they came in on, or the origin IP, or any other type of criteria available to you in that context.


Posted 2014-01-16T06:53:27.223

Reputation: 1 029

You might find it amusing to see my edit... – MariusMatutiae – 2014-01-17T11:33:52.793

Very nice job, and nicely documented! – NickW – 2014-01-17T12:33:59.567


Breaking this down:

  • The 'interface' (Ethernet interface to be more specific) is actual hardware, has a unique MAC address and operates at the physical and data link layer. It actually does the work of communicating.
  • You can then can send and receive IP packets in the packet/datagram OSI layer over this interface.
  • A virtual interface is a software abstraction in a kernel referring to either actual hardware interfaces or to tunnels (which I think are interface abstractions).
  • A sub-net is a range of possible IP addresses and thus requires a router.
  • Policy routing is routing based on other than the destination address, like for example routing based on the sender's address to direct certain traffic over a different route.

Where I get stumped is 'having several routers on the same sub-net'.

Also without a router in between I think a gateway can only handle one connection to a network interface at a time.

Hope this might help you think about it if nothing else. The network software can be very complex and it sometimes surprises me what is actually going on.

Elliptical view

Posted 2014-01-16T06:53:27.223

Reputation: 864

At home I have two gateways, one normal, one acting as a VPN client to my lab's OpenVPN server. Depending which gateway I choose up, I may/may not access my University's LAN, and appear (or not) as working out of it to the general Internet. I would like to access my pc at home, when I am on the road, through my home gateway and get a reply back, even though the gateway to the pc is the other gateway, i.e., that connected to my lab. – MariusMatutiae – 2014-01-16T12:34:50.450

+1 because your answer too taught me something. BTW, see, for pure fun, the EDIT to my question. – MariusMatutiae – 2014-01-17T12:42:08.937

Nah, can't imagine that I taught you anything, I'm still soaking up what I learned from you. – Elliptical view – 2014-01-18T02:18:41.977