Toggling a routing rule using homeassistant

For a while, I made all my Chromecast traffic route through my mum’s house in the States. To get US Netflix from abroad, I flipped on the Wireguard app on a phone, then opened Netflix on the phone and cast to the Chromecast. With the imminent release of Stadia, I want to be able to easily turn on and off this routing rule for my Chromecast.

The solution:

Make a rule that sends both the phone traffic and the Chromecast traffic through the States
Disable or enable the firewall rule with a script on the Edge Router.
Make an input boolean in homeassistant, with an associated automation that calls the script on the Edge Router.

Edge router config

Routing rule to send traffic through wg0 (the Wireguard interface) to the Raspberry Pi in the States:

set protocols static table 143 description 'table to force hosts to Raspberry Pi in the States'
set protocols static table 143 interface-route 0.0.0.0/0 next-hop-interface wg0

NOTE: I used a 143 for the table because I wanted to avoid conflicts with existing tables.

Firewall rule to make traffic involving the Chromecast use routing table 143:

set firewall modify PBR_MODIFY description 'route some hosts through the States'
set firewall modify PBR_MODIFY rule 10 action accept
set firewall modify PBR_MODIFY rule 10 description 'exclude LAN to LAN traffic from PBR'
set firewall modify PBR_MODIFY rule 10 destination address <192.168.0.0/16
set firewall modify PBR_MODIFY rule 20 action modify
set firewall modify PBR_MODIFY rule 20 description 'send chromecast to the States'
set firewall modify PBR_MODIFY rule 20 modify table 143
set firewall modify PBR_MODIFY rule 20 source address 192.168.1.7/32
set firewall modify PBR_MODIFY rule 30 action modify
set firewall modify PBR_MODIFY rule 30 description 'send my phone to the States'
set firewall modify PBR_MODIFY rule 30 modify table 143
set firewall modify PBR_MODIFY rule 30 source address 192.168.1.11/32

Now we can turn on the firewall rule with:

set interfaces ethernet eth1 firewall in modify PBR_MODIFY

And turn it off with:

delete interfaces ethernet eth1 firewall in modify PBR_MODIFY

A script to enable or disable the rule looks like this:

#!/bin/bash
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces ethernet eth1 firewall in modify PBR_MODIFY
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper endexit

Note that the configure command is not directly available from scripts, so we must use /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper.

homeassistant config

configuration.yaml:

input_boolean:
  routing_switch:
    name: routing_switch
    initial: off
    icon: mdi:web

shell_command:
    foreign_routing_on: /config/foreign_routing_on.sh
    foreign_routing_off: /config/foreign_routing_off.sh

automations.yaml:

- id: '1212133334499'
  alias: 'Foreign Routing On/Off'
  trigger:
  - entity_id: input_boolean.routing_switch
    platform: state
  action:
  - service_template: shell_command.foreign_routing_{{trigger.to_state.state}}

foreign_routing_on.sh:

ssh ubnt@<edge router IP> ./set_foreign_routing.sh

Result

The end result is that I have a switch on the homeassistant page on my phone which I can use to toggle the routing rule for the Chromecast and the phone.

A screenshot of the homeassistant app with a single on/off button labeled routing switch