What is Policy-based Routing?
In networking, network traffic is usually managed by the system's routing table; This routing table can either be static, or dynamic based on your network topology. Policy-Based Routing (PBR) is a technique used to make routing decisions based on policies set by you.
The traditional Policy Based Routing is based on the IP layer, and also the services the network is running. Firewalla Policy Based Routing is much more flexible, and also can be mapped to the destination category (gaming, video).
- Firewalla PBR is content-aware
- The PBR feature will only work if you have multiple WAN or VPN connection
- The full PBR feature is available on the Firewalla Gold and Firewalla Purple
- Routing to VPN is supported for the Blue Plus
- You can specify any type of traffic and route them to your VPN servers, as long as the VPN is connected.
- If you have a dual-WAN setup, you can route any traffic to any WAN connection no matter the WANs are set to failover or load balancing.
- Routing all video traffic to a 3rd party VPN server
- Routing all traffic on PC to the standby WAN
- Running Zoom or Gaming from a low latency WAN interface
How to use it?
On Firewalla Box main page, tap Routes -> Add Route, specify any type of traffic, matching a device/group/network, and route it to any VPN connection or WAN connection.
In the Firewalla 1.52 app release, you can now choose a Route Preference as well. For each route, you can select either Static, which drops the traffic if the selected interface is not available; or Preferred, which allows the traffic through an alternate route if the selected interface is not available. Read more about this feature in our 1.52 App Release Notes.
The following Targets are supported in Routes:
- Target List (Beta)
- IP Address
- IP Address Range
- Remote Port
- All Gaming Sites
- All Social Sites
- All Video Sites
When there is conflict, the more specific the target and device scope are, the higher priority it is.
The priority list for device scope is Device > Group > Network > Global(All devices).
- When there is conflict, device/group rules will take precedence over Network rules.
- When there is conflict, Network rules will take precedence over Global rules.
For targets, the priority list is IP/Port > CIDR > Domain > Target List/Category > Region > Internet.
Network Flows Shortcut:
Network Flows are a history of all inbound and outbound network traffic on your network. If you need to send certain type/s of flows to another WAN or VPN, on any flows, when you tap on the "route" button, a Route rule can be created based on the destination/source and the device/group/network or all the flow devices.
Route all video traffic on device Annies-iPhone to a StrongVPN server,
- Box main page -> Add Route
- Set a target -> All Video Sites
- Select a device -> Annies-iPhone
- Select an interface -> VPN -> StrongVPN
(VPN connection should have been set up in the VPN Client feature)
- Select route preference -> Static if you want Firewalla to drop the traffic if the VPN is unavailable or Preferred if you want to send the traffic over another interface if the VPN is unavailable
With this route, all traffic to video sites will be routed to StrongVPN when the VPN is connected. Since Preferred is selected, video traffic will be routed through another path if the VPN is unavailable.
Example: Connecting to a Starlink Dish Interface
If you have a Starlink dish and you want to access the management interface. You can use the Routing feature to do that following this example:
This would allow any device on LAN 1 access to any device in the 192.168.100.0/24 range over LAN1. This should be Static, not Preferred because you could never reach the dish admin portal over another WAN.
Note instead of IP Address Range you could also use the exact IP of the Dish (typically 192.168.100.1) and you could limit the ON to a device or Group if you wished to secure this a bit more by limiting access.