What is Policy-based Routing?
In networking, network traffic is usually managed by the system's routing table; This routing table can either be static, or dynamic based on your network topology. Policy-Based Routing (PBR) is a technique used to make routing decisions based on policies set by you.
The traditional Policy Based Routing is based on the IP layer, and also the services the network is running. Firewalla Policy Based Routing is much more flexible, and also can be mapped to the destination category (gaming, video).
- Firewalla PBR is content-aware
- The PBR feature will only work if you have multiple WAN or VPN connection
- The full PBR feature is available on the Firewalla Gold and Firewalla Purple
- Routing to VPN is supported for the Blue Plus
Benefits:
- You can specify any type of traffic and route them to your VPN servers, as long as the VPN is connected.
- If you have a dual-WAN setup, you can route any traffic to any WAN connection no matter the WANs are set to failover or load balancing.
Use Cases:
- Routing all video traffic to a 3rd party VPN server
- Routing all traffic on PC to the standby WAN
- Running Zoom or Gaming from a low latency WAN interface
How to use it?
On Firewalla Box main page, tap Routes -> Add Route, specify any type of traffic, matching a device/group/network, and route it to any VPN connection or WAN connection.
Learn more about how to use PBR with VPN and Multiple-WAN
Following Targets are supported in Routes:
- Target List (Beta)
- Domain
- IP Address
- IP Address Range
- Remote Port
- Region
- Internet
- All Gaming Sites
- All Social Sites
- All Video Sites
When there is conflict:
The priority of different levels is device > group > network > global(All devices).
- When there is conflict, device/group rules will take precedence over Network rules.
- When there is conflict, Network rules will take precedence over Global rules.
VPN Example:
Route all video traffic on your iPad to an ExpressVPN server,
- Box main page -> Add Route
- Set a target -> All Video Sites
- Select a device -> iPad
- Select an interface -> VPN -> ExpressVPN
(VPN connection should have been set up in the VPN Client feature) - Save
With this route, all the traffic to video sites will be routed to ExpressVPN when the VPN is connected.
Learn more about how to use PBR with VPN and Multiple-WAN
Comments
10 comments
It would be great if we could redirect specific apps using PBR. Ex: Netflix via VPN1, and Amazon via VPN2, etc
I’m looking at a policy that routes based on what wan is less latent, is that possible? Peplink has this but everything else has me convinced firewalla is the better choice
@sukumar, the VPN redirection can be done on 1.972.
@John, latency based routing is possible; Is the problem you are facing the ISP is getting congested?
I have two LTE connections, one has much more throughput, but worse latency, I’d like to have gaming/remote work go through the less latent path, and video to go over the other connection, and fail over still functional, I see some vendors have “lowest latency” which tracks on the 2nd/3rd hop, and the other, (and preferable) is “fastest response time” this would be ideal, because it could choose the connection based quickest path, which may end up being the other link, I know persistence can be a issue, and would also consider using this for web browsing.
@firewalla, I am on 1.972 early access and 1.44 beta, how do I enable app based VPN routing for Netflix etc?
@Sukumar, Hulu doesn't like Dual WAN so I used PBR to channel andy traffic to hulo.com to my WAN1. You should be able to do the same with Netflix.
Is it possible to use PBR to a (dynamic) virtual device group??? That would solve many problems I'm having:
I can describe more of what I mean but bottom line is that device groups are great but not flexible enough and may change based on context (e.g. netflix or porn).
I'm not sure if I exactly understand your question, but PBR can be applied to Groups. If a device changes groups then the PBR would shift with that.
Is that what you are looking for?
What about when you want to limit the routing to ALL DEVICES EXCEPT specific ones?
ie:
right now I can create a rule forcing ALL the devices to only use CABLEMODEM_WAN, which effectively block them from using the TMOBILE_WAN_BACKUP. but that prevent my work PC from using the backup_WAN
in theory I could create 1 route per device except the 2 work PC/laptop but that's not very practical... Or create 1 group with every devices except the 2 work PC/laptop but that's also not very practical...
I can easily create a route for the 2 work PC to use the backup_WAN but that defeat the purpose since I want them to only do that when the primary is down, not all the time!
We basically need a NOT operator somewhere in the filter logic...
suggestions:
allow to use an "except" operator in the new route filter screen... like:
On a side note, I noticed that even though I did setup the route:
from my laptop I can still access the IP address of the 5g router behind firewalla's TMOBILE_WAN_BACKUP port which is very convenient and logical since the 5g router is not considered internet (192.168.1.1) and visibly firewall keeps routing 192.168.1.0 through TMOBILE_WAN_BACKUP port...
Please sign in to leave a comment.