Policy Routing Configuration

At this point the firewall is prepared for Multi-WAN but not fully configured. With default gateway switching the firewall will have basic failover, but it cannot yet use more advanced failover or load balancing behaviors without policy routing firewall rules in place.

See also

For information on default gateway switching, see Managing the Default Gateway.

Configuring the Firewall Default State Policy

The default State Policy (Firewall State Policy) is not directly related to policy routing but can affect how it functions for traffic originating on the firewall itself.

Daemons bound to WANs that are not default, and which have no static route configured to control their outbound behavior, may fail to pass outbound traffic when the default policy is set to “Interface Bound States”. This is common for certain types of VPN clients, such as OpenVPN. If these are necessary, consider changing the default policy to “Floating States”.

See Interface Bound States for additional information on this failure case.

Configuring Firewall Rules for Policy Routing

Setting a Gateway on a firewall rule will cause traffic matching the rule to use the chosen gateway or group, following the configured behavior of the group.

The easiest way to configure a firewall for policy routing is to edit the existing default pass rule for the LAN and select the gateway group there. With that set, any traffic matching the default pass rule on the LAN will use the chosen gateway or group.

To make that edit:

  • Navigate to Firewall > Rules, LAN tab

  • Click fa-pencil on the row with the default pass rule

  • Click fa-cog Display Advanced under Extra Options

  • Select the desired gateway group from the Gateway drop-down list

  • Click Save

  • Click Apply Changes

Only the most basic of deployments will be satisfied with that configuration, most configurations are more complex. Continue reading for more factors that can require additional configuration.

Bypassing Policy Routing

If there are other local interfaces, VPNs, MPLS interfaces, or traffic that must otherwise obey the routing table, then that traffic must be configured to bypass policy routing. This is simple to do by making a rule to match the traffic in question and then placing that rule above any rules that have a gateway configured, because the first rule to match is the one that is used.

This can be generalized by making an alias for any RFC1918 traffic which would cover all private networks, and then using that in a rule. This alias would contain at least 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.

In Figure Bypass Policy Routing Example Rules, local and VPN traffic bypasses policy routing, HTTPS traffic prefers WAN2, and all other traffic is load balanced:

../_images/multiwan-bypass-policy-routing.png

Bypass Policy Routing Example Rules

Mixing Failover and Load Balancing

As shown in Figure Bypass Policy Routing Example Rules, failover and load balancing can be used at the same time by carefully ordering the rules on an interface. Rules are processed from the top down and the first match wins. By placing more specific rules near the top of the list, and the general “match all” style rules at the bottom, any number of different combinations are possible with rules using different gateways or groups.

Enforcing Gateway Use

There are situations where traffic should only ever use one gateway and never load balance or failover. In this example, a device must only exit via a specific WAN and lose all connectivity when that WAN fails.

First, set the Gateway on a firewall rule matching traffic from this device to a specific WAN Gateway. If that gateway is down, the rule will act as if the gateway was not set at all, so it needs to be taken a couple steps further.

Add a rule immediately below the rule matching the traffic, but set to reject or block instead. This rule must not have a gateway set.

Next, configure the firewall to omit rules for gateways that are down (Gateway Monitoring):

  • Navigate to System > Advanced on the Miscellaneous tab

  • Check Do not create rules when gateway is down

  • Click Save

With that option enabled, the first rule will be omitted entirely, falling through to the next matching rule. This way, when the first rule is omitted automatically, traffic will be stopped by the block rule.