What is Policy-Based Routing?
In networking, network traffic is usually managed by the system's routing table. This routing table can either be static or dynamic based on your network topology. Policy-Based Routing (PBR) enables you to set policies that control your network's routing decisions. With PBR, you can:
- Route specific types of traffic to your VPN servers (as long as the VPN is connected).
- Route traffic to any of your WAN connections, if you have a dual-WAN setup.
Watch the video below for a tutorial of how to use Firewalla Policy-Based Routing.
- How does Firewalla Policy-Based Routing work?
- What are some use cases for Policy-Based Routing?
- How do I use Policy-Based Routing?
- Policy-Based Routing Examples
How does Firewalla Policy-Based Routing work?
Traditional Policy-Based Routing works on the IP layer and the services the network is running. Firewalla Policy-Based Routing is much more flexible and can be mapped to traffic category (gaming, video, etc.).
- Firewalla PBR is content-aware.
- PBR will only work if you have multiple WAN or VPN connections.
- The full PBR feature is only available on Firewalla Gold series and Purple series boxes.
- Only routing to a VPN server is available on the Blue Plus.
What are some use cases for Policy-Based Routing?
Since Firewalla Policy-Based Routing lets you direct flows based on the type of traffic, it's powerful enough to help you make some significant security- and bandwidth-related adjustments to your network. For example, you can:
- Route all video traffic to a 3rd party VPN server
- Routing all traffic on a PC to the standby WAN
- Running Zoom or Gaming from a low latency WAN interface
- Running VPN Client traffic to a specified WAN or VPN Client
How do I use Policy-Based Routing?
On your box's main page, tap Routes -> Add Route, specify a type of traffic, and choose a device/group/network. Then, route it to any VPN or WAN connection.
You can also specity a Route Preference. For each route, you can select either Static, which drops the traffic if the selected interface is not available; or Preferred, which allows the traffic through an alternate route if the selected interface is not available. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.
Learn more about how to use PBR with VPN and Multiple-WAN.
The following Targets are supported for Routes:
- Target List (Beta)
- Domain
- IP Address
- IP Address Range
- Remote Port
- Region
- Internet
- All Gaming Sites
- All Social Sites
- All Video Sites
When there is conflict between Routes, Routes with more specific target and device scopes take precedence. The priority list for device scope is Device > Group > Network > Global (All Devices).
- When there is conflict, Device/Group rules will take precedence over Network rules.
- When there is conflict, Network rules will take precedence over Global rules.
If the Routes are applied at the same level, the priority then depends on the matching targets, which are IP/Port > CIDR > Domain/App > Target List/Category > Region > Internet.
Network Flows Shortcut:
Network Flows are a history of all inbound and outbound network traffic on your network. If you need to send certain types of flows to another WAN or VPN, tap on a flow, then tap the "Route" button at the bottom of the page. You'll be prompted to create a new Route based on the destination/source and the device/group/network.
Policy-Based Routing Examples
Routing Traffic to a VPN:
To route all video traffic on device Annies-iPhone to a StrongVPN server:
- Tap Routes on your box's main page.
- Tap Add Route.
- Matching: All Video Sites
- On: Annies-iPhone
- Interface: StrongVPN (set up your VPN connection in the VPN Client feature beforehand)
- Preference: Static if you want Firewalla to drop the traffic if the VPN is unavailable or Preferred if you want to send the traffic over another interface if the VPN is unavailable
- Tap Save
With this route, all traffic to video sites will be routed to StrongVPN when the VPN is connected. Since Preferred is selected, video traffic will be routed through another path if the VPN is unavailable.
Learn more about how to use PBR with VPN and Multi-WAN setups.
Connecting to a Starlink Dish Interface:
If you have a Starlink dish and want to access the management interface, you can use a Route to help you:
- Tap Routes on your box's main page.
- Tap Add Route.
- Matching: IP Address Range 192.168.100.0/24
- On: Network LAN 1
- Interface: Starlink
- Preference: Static if you want Firewalla to drop the traffic if the VPN is unavailable or Preferred if you want to send the traffic over another interface if the VPN is unavailable
- Matching: IP Address Range 192.168.100.0/24
- Tap Save
This Route allows any device on LAN 1 access to any device in the 192.168.100.0/24 range over LAN1. This should be Static, not Preferred because you can never reach the Dish admin portal over another WAN.
Note that instead of an IP Address Range, you can use the exact IP of the Dish (typically 192.168.100.1). You can also limit the Route to a specific device or group to secure the admin portal a bit more by controlling access.
Wi-Fi Calling in a Multi-WAN Network
If you have a multi-WAN configuration with load-balancing selected you may want to look at another example Content Based Routing. See Wi-Fi Calling.
Comments
12 comments
It would be great if we could redirect specific apps using PBR. Ex: Netflix via VPN1, and Amazon via VPN2, etc
I’m looking at a policy that routes based on what wan is less latent, is that possible? Peplink has this but everything else has me convinced firewalla is the better choice
@sukumar, the VPN redirection can be done on 1.972.
@John, latency based routing is possible; Is the problem you are facing the ISP is getting congested?
I have two LTE connections, one has much more throughput, but worse latency, I’d like to have gaming/remote work go through the less latent path, and video to go over the other connection, and fail over still functional, I see some vendors have “lowest latency” which tracks on the 2nd/3rd hop, and the other, (and preferable) is “fastest response time” this would be ideal, because it could choose the connection based quickest path, which may end up being the other link, I know persistence can be a issue, and would also consider using this for web browsing.
@firewalla, I am on 1.972 early access and 1.44 beta, how do I enable app based VPN routing for Netflix etc?
@Sukumar, Hulu doesn't like Dual WAN so I used PBR to channel andy traffic to hulo.com to my WAN1. You should be able to do the same with Netflix.
Is it possible to use PBR to a (dynamic) virtual device group??? That would solve many problems I'm having:
I can describe more of what I mean but bottom line is that device groups are great but not flexible enough and may change based on context (e.g. netflix or porn).
I'm not sure if I exactly understand your question, but PBR can be applied to Groups. If a device changes groups then the PBR would shift with that.
Is that what you are looking for?
What about when you want to limit the routing to ALL DEVICES EXCEPT specific ones?
ie:
right now I can create a rule forcing ALL the devices to only use CABLEMODEM_WAN, which effectively block them from using the TMOBILE_WAN_BACKUP. but that prevent my work PC from using the backup_WAN
in theory I could create 1 route per device except the 2 work PC/laptop but that's not very practical... Or create 1 group with every devices except the 2 work PC/laptop but that's also not very practical...
I can easily create a route for the 2 work PC to use the backup_WAN but that defeat the purpose since I want them to only do that when the primary is down, not all the time!
We basically need a NOT operator somewhere in the filter logic...
suggestions:
allow to use an "except" operator in the new route filter screen... like:
On a side note, I noticed that even though I did setup the route:
from my laptop I can still access the IP address of the 5g router behind firewalla's TMOBILE_WAN_BACKUP port which is very convenient and logical since the 5g router is not considered internet (192.168.1.1) and visibly firewall keeps routing 192.168.1.0 through TMOBILE_WAN_BACKUP port...
My Firewalla gold will not complete installation in bridge mode while connected to UDM Pro. It’s being blocked by the firewall. I added a static route for domain Firewalla.com. and that almost did the job, but it’s still stuck at the end. Which domain am I missing from the route list?
Why is UDMP blocking firewalla? Start with looking at the rules there.
Please sign in to leave a comment.