Policy Routing Configuration

At this point, the firewall is prepared for Multi-WAN but it will not yet be used. Traffic will not fail over or be load balanced without policy routing firewall rules in place.

Note

One possible exception is if Default Gateway Switching is enabled (Default Gateway Switching), in which case failover could still function without policy routing.

Configuring Firewall Rules for Policy Routing

Setting a Gateway on a firewall rule will cause traffic matching the rule to use the chosen gateway or group, following the configured behavior of the group.

The easiest way to configure a firewall for policy routing is to edit the existing default pass rule for the LAN and select the gateway group there. With that set, any traffic matching the default pass rule on the LAN will use the chosen gateway or group.

To make that edit:

  • Navigate to Firewall > Rules, LAN tab
  • Click fa-pencil on the row with the default pass rule
  • Click fa-cog Display Advanced under Extra Options
  • Select the desired gateway group from the Gateway drop-down list
  • Click Save
  • Click Apply Changes

Only the most basic of deployments will be satisfied with that configuration, most configurations are more complex. Continue reading for more factors that can require additional configuration.

Bypassing Policy Routing

If there are other local interfaces, VPNs, MPLS interfaces, or traffic that must otherwise follow the system routing table, then that traffic must be configured to bypass policy routing. This is simple to do by making a rule to match the traffic in question and then placing that rule above any rules that have a gateway configured, because the first rule to match is the one that is used.

This can be generalized by making an alias for any RFC1918 traffic which would cover all private networks, and then using that in a rule. The alias contains 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.

In Figure Bypass Policy Routing Example Rules, local and VPN traffic bypasses policy routing, HTTPS traffic prefers WAN2, and all other traffic is load balanced:

../_images/multiwan-bypass-policy-routing.png

Bypass Policy Routing Example Rules

Mixing Failover and Load Balancing

As shown in Figure Bypass Policy Routing Example Rules, failover and load balancing can be used at the same time by carefully ordering the rules on an interface. Rules are processed from the top down and the first match wins. By placing more specific rules near the top of the list, and the general “match all” style rules at the bottom, any number of different combinations are possible with rules using different gateways or groups.

Enforcing Gateway Use

There are situations where traffic should only ever use one gateway and never load balance or failover. In this example, a device must only exit via a specific WAN and lose all connectivity when that WAN fails.

First, set the Gateway on a firewall rule matching traffic from this device to a specific WAN Gateway. If that gateway is down, the rule will act as if the gateway was not set at all, so it needs to be taken a couple steps further.

Add a rule immediately below the rule matching the traffic, but set to reject or block instead. This rule must not have a gateway set.

Next, configure the firewall to omit rules for gateways that are down (Gateway Monitoring):

  • Navigate to System > Advanced on the Miscellaneous tab
  • Check Do not create rules when gateway is down
  • Click Save

With that option enabled, the first rule will be omitted entirely, falling through to the next matching rule. This way, when the first rule is omitted automatically, traffic will be stopped by the block rule.