Using Firewalla Policy Based Routing with VPN and Multi-WAN
Firewalla Policy Based Routing (PBR) is a powerful feature that allows you to manage where your networking traffic goes. When PBR is integrated with VPN and Multi-WAN features, can give you a very powerful set of tools to fully control your network traffic.
In this article, we will show:
- Policy-Based Routing enhancing third-party VPN
- Routing traffic in multi-wan
- Setting up a Third Party VPN in Firewalla Client
- Example 1: Route Video Streaming Traffic to Third-party VPN on All Devices
- Example 2: Route all Traffic for all Devices to Hide Your Location Using a Third-party VPN service for privacy
- Example 3: Route all Traffic to VPN, Except my Banking to Third-party VPN
- Example 6: Route video conferencing over a better performing WAN and less critical traffic over another
- Example 7: Route Hulu on Apple TV through WAN 1 because Hulu will block IP changes
- Example 8: Route IoT devices that don’t handle Multi-WAN well
Firewalla's VPN Client feature connects any device—or even your entire local network on to a VPN just as a VPN client on say a laptop, connects a device to a VPN service.
VPNs can be used in a variety of ways to protect your privacy and improve security. Below are some common scenarios customers use with our products. We thought these might inspire you.
All Firewalla products support VPN Client for OpenVPN and Blue Plus, Purple, and Gold support both OpenVPN and WireGuard. There are a lot of commercial VPN options on the market, so the examples below should get any compatible VPN up and running.
In the examples below, we will demonstrate how to create a VPN Client and route different traffic through VPN.
Setting up a Third-Party VPN in Firewalla Client
The first step for all the following examples is to set up a third-party VPN in the Firewalla VPN Client. VPN Client will carry VPN-protected traffic from your network to your VPN provider as opposed to VPN Server which allows you to securely access resources on your local network when you are away.
Let's get the VPN Client configuration out of the way.
- Go to VPN Client in the Firewalla App, choose 3rd-Party VPN, choose OpenVPN or WireGuard.
- Sign in to your chosen VPN provider and follow their directions to download the VPN configuration or Profile. Usually, you will pick the location of the VPN server you want to access.
- Import the VPN Profile to Firewalla. Some VPN providers will let you use a QR code to import.; others will have you import a file. See VPN Client for details about importing the VPN profile if you have any issues.
- Once imported, open the profile and turn it on. You may also apply it to whichever device(s) or device Group(s) you like. We will cover this in detail in the examples below.
To Test a VPN connection
Note to test VPN a connection you can go to a service that reports your external IP address. There are many such services but https://ipinfo.io/ is very detailed, or just google, "what is my IP address?".
Do this before you attempt to set up any of the examples below from a device that you will use to test so you can compare it after you complete one of the example scenarios to see if it is working as expected.
- if you just want to send all traffic from a network or device through a third-party VPN, you do not need to use the route feature, please see https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client.
- VPN + Route feature will help you to selectively (fine grain) route different types of traffic.
Now continue with any of the examples below to affect any scenario that you like.
Example 1: Route Video Streaming Traffic to Third-party VPN on All Devices
In this example, we are going to route all video streaming traffic from all devices, through a VPN with the assistance of Policy Based Routing.
- Edit your VPN client. In this case, leave the Apply To blank.
- Launch Routes and add a new Route.
- Pick a Category and choose from Target List, Domain, IP Address, IP Range, Remote Port, Region, Internet, Gaming, Social, or Video.
- Choose what Device(s) or Group(s) you want to be included ON this Route.
- Choose the VPN you want to use under Interface.
In this case, we can't verify our VPN by checking our IP address because we asked for only video traffic to use VPN so ipinfo.io and google won't see the VPN IP.
Result: All Video Traffic for all devices on the network will go through the selected VPN.
Example 2: Route all traffic for all devices to hide your location with a third-party VPN service for privacy.
In this example, we route all internet traffic through a VPN to keep our location private since an IP address can disclose an approximate location. This is similar to Example 1, but it affects all traffic on all devices on our Primary LAN.
- Edit the VPN and Apply it To All Devices.
- Verify your IP address from one of the devices you included above by googling, "What's my IP" or using a service like, https://ipinfo.com.
Result: All WAN traffic for all devices on Primary LAN will go through the selected VPN. You could select more than one network segment if you like.
Example 3: Route all traffic to VPN, except my banking, to third-party VPN.
Now say you wanted to run all WAN traffic through a VPN except your bank's website. This is the inverse of the previous case. You could accomplish this as follows.
- Set up your VPN Client, but this time select the device(s) that you want to include by default in VPN in step 6. You can choose an entire network segment (LAN or VLAN) if you like.
- Then create a Route that specifies a Domain, in this case, your bank, the devices affected ON, and choose your WAN.
- In the first example below (to the left), we are sending all traffic, on all devices to VPN except, "bigbank.com".
- The Route in the second example (to the right) sends all traffic to VPN except traffic to bigbank.com but only for a set of devices in the Group, "Laurie".
3. Save the Route.
So you can see how this can be very flexible and allow you to configure VPN connections that automatically do what is needed without the person using the device having to know anything about VPNs or remembering to turn them on and off.
To verify your VPN is working as expected, check the IP address from one of the devices you included above by googling "What's my IP" or using a service like, https://ipinfo.com.
Result: All WAN traffic for all devices on the network will go through the selected VPN except for a specified Domain.
Example 4: Route work-related traffic over VPN and personal traffic to your WAN interface.
In this example, we are going to route all traffic from specific devices to your company over VPN: if you are on your work laptop, tablet, or phone and you communicate with your company's domain send it over VPN. No other devices will be able to connect to the VPN and all traffic that isn't work-related will go over the normal WAN connection. This is much more seamless and convenient than having to start a VPN on each device just to check in some code or review a sensitive work document. It also doesn't send personal internet traffic through your company.
- Edit the VPN Apply To the device(s) or Group(s) you want to connect to the work VPN.
- Now make a Route:
- Set Domain to your company domain.
- Choose the Device(s) or Group(s) you want to be included.
- Choose the VPN for the Interface.
In this case, you can verify your VPN by accessing the domains you specified. If you can access them, your VPN is working.
Note that this is a great place to use Target Lists. For example, let's say your work has three second-level domains that you need to be able to access via VPN because your company IT department has restricted access.
You could create a Target list with those included and use that instead of Domain in the example above. All of your access to your company network is taken care of.
Result: All traffic on specified devices, heading to specific domains, will go through the selected VPN. No other devices will access the VPN and traffic that is not work-related will not go over VPN or through your company's network.
Example 5: VPN to VPN: VPN From Outside Your Network to Your Home (VPN Server), then Route all Traffic to Third-party VPN (VPN Client)
In this example, we are going to use both VPN Server and VPN Client at the same time so that when we are outside our local network our device connects home and is then automatically connected to our third-party VPN. So there are two VPN connections here:
- From your device to home.
- From home to a third-party VPN.
For this example, we assume that you have VPN Client and Firewalla VPN Server already set up.
Go to Route, select:
- Matching: Internet Traffic
- ON: Select your VPN Server. (the VPN network you VPN'ed into)
- Interface: Select your VPN Client. (the 3rd party VPN)
Result: A remote connection uses VPN Server to connect to your Firewalla and Firewalla's VPN Client connects you to a third-party VPN server to protect your privacy and connect you to private networks.
Multi-WAN is used to provide two Internet connections to your network for redundancy and increased throughput.
These networks can be run in either:
- Failover mode (use ISP1 unless the connection is faulty; then use ISP2) or
- Load balancing mode (e.g. put 80% of WAN traffic to ISP1 and put the rest to ISP2)
This is a powerful feature, but sometimes, needs the assistance of other features to get around some challenges that this creates. Let's look at a few examples.
In the examples below, we will demonstrate ways to selectively utilize the "route" feature route traffic through these different WANs.
Example 6: Route video conferencing over a better performing WAN and less critical traffic over another
Not all networks are equally capable. Some networks have greater upload speeds than others. Some networks are faster than others. And of course, some have data caps. Rather than the simple load balancing mentioned above, which splits a percentage of total network traffic between the WANs, you can select particular applications to go over one WAN or another. For example, you might put video conferencing traffic like zoom over ISP1 and put email, IoT, and an alarm system on ISP2 to ensure that video conferencing is the best possible quality.
This can also be used in conjunction with Smart Queue. Here's an example Route:
Result: You can control which network-specific types of traffic travel on and as well as choose to use a VPN when necessary keeping applications on your network performing at their best.
Example 7: Route Hulu on Apple TV through a Specific ISP because Hulu will block IP changes
Some video streaming services use your IP address to detect if you have broken their ToS (Terms of Service) by using their service from different locations. When using Multi-WAN sometimes your IP address will show as belonging to ISP1 and other times ISP2 even though you haven't moved the device you are watching Hulu on and you aren't doing anything wrong. This is easily solved using Routing.
Create a Route.
- Create a Domain: in this case, we will use hulu.com
- Choose the Device(s) or Group(s) that are affected by this rule.
- Choose the WAN you want to use for this Traffic.
Now all traffic for Hulu will go over the selected ISP.
Result: By using Policy Based Routing, traffic to a Video Streaming service can be forced to use a specific WAN port keeping the IP address the same so as not to cause a fraud alert by the streaming service.
Example 8: Route IoT devices that don’t handle Multi-WAN well
Some IoT devices will have problems if you have a Multi-WAN configuration. The solution is the same as described previously. You can create a Route like this for the IoT Device(s):
This will send all traffic to the selected ISP WAN interface. Of course, as discussed previously, you could send traffic for these devices to a VPN instead.
- More than one VPN can be operational at the same time but any single device can not be Routed through more than one VPN at the same time.
- You can have VPN Server and VPN Client running at the same time.
- You can specify any type of traffic and route them to your third-party VPN servers, as long as the VPN is connected.
- If you have a dual-WAN setup, you can route any traffic to any WAN connection no matter the WANs are set to failover or load balancing.
Please send feedback to firstname.lastname@example.org if you would like to see more detailed articles about these or other topics. We would like to hear what would help you get more value out of your Firewalla.