Follow

Policy Routes - Basic Outbound Load Sharing

Version 2.5 Version 3.0

Applies to Platform: UTM 2.4, UTM 2.5, 4i Edge 2.5
Last Updated: 5th March 2014

Applies to Platform: UTM 30, 4i Edge >3.0
Last Updated: 5th March 2014

This lesson will illustrate the necessary steps to configure a simple static route on a typical Endian appliance. This will allow us to configure routing (i.e. communication capabilities) between the Endian and other networks that may not live directly on the Endian but on an external router or through a VPN tunnel.

Configuration Example

?name=Network_Diagram_-_Policy_Routes.png

In this simple example, we'll configure policy routing so that the Green (LAN) and Orange (DMZ) use the primary Internet connection while the Blue (WIFI) network uses a secondary Internet connection This will ensure our Blue (WIFI) users will not take bandwidth from the Green / Orange network traffic.

Create Policy Route #1 (Green / Orange)

?name=media_1303154246892.pngpolicy1.png

Now we'll add a new policy route in the Endian under Network > Routing > Policy Routing. Select the GREEN and ORANGE zones as the Source and we'll leave the Destination network / ports blank ( = ANY) and then configure the route to use the Main Uplink. Notice we've checked the "Use backuplink if uplink fails" as this will provide a failover policy to the backup uplink in the event our main uplink goes down.

Click Create Rule and then Apply to complete the process.

Create Policy Route #2 (Blue)

?name=media_1303154490152.pngpolicy2.png

Now we'll add our second policy route in the Endian for the Blue network. Select the BLUE zones as the Source and we'll leave the Destination network / ports blank ( = ANY) and then configure the route to use the Backup Uplink. Notice we've checked the "Use backuplink if uplink fails" as this will provide a failover policy to the main uplink in the event our backup uplink goes down.

Click Create Rule and then Apply to complete the process.

Verify Routes

?name=media_1303154592110.pngpolicy3.png

Now you can verify the route works properly by performing a traceroute from any workstation in the Green / Orange network to the Internet and you should see the packet leave out of the Main uplink. Then you can do another traceroute from any device in the Blue network to the Internet and you should see that packet leave out of the Backup uplink.

Have more questions? Submit a request

Comments

  • Avatar
    Romeo Andreica

    We should add a note/warning regarding traffic that pass through the proxies, in that case policy routes based on source zone doesn't work anymore but traffic is matched with the LOCAL tag.

  • Avatar
    Permanently deleted user

    Still valid for 2.5

  • Avatar
    Lounès Abbas

    Hello

    In this case Green network wouldn t be allowed to join ORANGE because ALL The traffic is routed without exceptions for ORANGE Destination by the uplink

    I think it is a bug ...

    Shame that we can t put negative IP in the destination or the source like !192.168.0.1 ....