IX. NAT Related Features

Policy Routing Guide - Load Balancing, Address Mapping and VPN Routing

Products:
Vigor 2765
Vigor 2820
Vigor 2832
Vigor 2862
Show all

Keywords:
Address Mapping
Load Balancing
NAT
Policy Route
Show all

For Vigor 2860 and Vigor 2925 routers from firmware version 3.7.8 onwards, please refer to this guide instead.

The intention of this guide is to describe how Policy Route works and best practices with it to avoid problems. It is recommended to set the Policy Route page to “Advance Mode” so that the settings match the ones shown in the guide.

Policy Route replaces the WAN - Load Balance Policy and NAT – Address Mapping menus and provides additional functionality to allow for more complex handling of outbound traffic – it makes it possible to forward all traffic to / from specific IP addresses (local or remote) over any interface including VPN tunnels. It also allows Address Mapping to fail over to other WAN interfaces and define specific traffic, so that address mapping could be used for just SMTP traffic.

It is important to note that load balancing rules have a higher priority than the the routing table, so with any rules special consideration needs to be made for what their affect might be to Inter-LAN routing and LAN to LAN / Dial-In User VPN traffic.

This is a new feature that is implemented on the DrayTek Vigor 2860 and Vigor 2925 routers, it is now also implemented on the DrayTek Vigor 2830 (3.6.4.1 firmware), Vigor 2920 (3.6.6 firmware) and Vigor 2850 (3.6.6 firmware) routers. This is located under the Load Balance/Route Policy menu from firmware versions 3.6.6 and later. On the Vigor 2830 with 3.6.4.1 firmware, it is located under LAN – Policy Route.

The main configuration issue that could be experienced when setting up Policy Route with incorrect settings could be with LAN to LAN or Dial-In User VPNs not responding if there is a “Catch-All” rule set, which is a Policy Route with Source, Destination and Destination Port all set to Any. In many cases it is preferable to configure Policy Route and Load Balancing without any "Catch-All" rules as a rule that has a wide spanning influence can cause unexpected results, but if a "Catch-All" rule is needed then the examples explain how to avoid undesired routing results.

The processing of Policy Routes is sequential, such that it checks for matches from the first policy route rule to the last, and if there are no matches it then processes the routing table to make the routing decision. If a match is found then it will immediately take that action for the routing decision. If setting up a catch-all rule, it’s best to make sure that this is processed last and have any specific rules processed before then.

Catch-All Rules

This is a rule in which the Source IP, Destination IP and Destination Port are all set to “Any” which is intended to put all traffic for outbound internet access through the specified WAN interface.

These can be configured to set the priority of WAN interfaces if the WAN interfaces all need to remain active and may still receive incoming traffic from port forwards / VPNs but would not be used for outbound traffic unless the main WAN interface failed. It’s possible to set these up in order so that for instance WAN2 would be used for general outbound internet access but if it were to fail, there could be a rule after that to use WAN1 followed by WAN3 (if using 3G/4G). This requires ticking the “Auto Failover…” option.

Image 8

Policy Route Examples

The examples here are given to show how policy route can be used and the flexibility it provides so that different types of traffic can be routed. Rule 6 is the Catch-All rule and the examples show how to exempt traffic from it to allow Inter-LAN routing, LAN to LAN VPNs and Dial In User VPNs to work correctly.

Image 2

Rule 1 – This exempts local LAN traffic from the catch-all rule; it forces any local traffic as the destination to route through the correct LAN interface, which is how dial-in users and Inter-LAN routing are handled by the router.

Rule 2 – This exempts LAN to LAN traffic from the catch-all rule; it will send any traffic for the HeadOffice network through the HeadOffice VPN tunnel.

Rule 3 – An example of Address Mapping.

Rule 4 – An example of a Policy Route that sends SMTP traffic through WAN1 only.

Rule 5 – An example of a Policy Route that sends specific local traffic through WAN1 only.

Rule 6 – The Catch-All rule, which is processed last so that exemptions and any other Policy Routes are processed before it, which allows the other rules to work.

The priority that we recommend for Policy Route rules when configuring them is:

  1. Rules for Inter-LAN routing, VPN tunnels or exemptions for VPNs
  2. Rules for Address Mapping
  3. Rules for normal Load Balancing
  4. Catch-All rules

VPN & Inter-LAN Routing Exemptions

To set up an exemption for Inter-LAN routing and Remote Dial-In User VPNs when there is a Catch-All rule in use, configure a rule with the local subnet range set as the Destination IP with the Interface set to the local LAN interface that it’s using:

Image 3
Please Note that this requires a load balance policy for traffic in the other direction as well, so any other LAN subnets on the router would need a policy route rule as well.

To set up an exemption for LAN to LAN traffic from a Catch-All rule, configure a rule with the remote subnet IP range set as the Destination IP and the Interface set as the VPN tunnel that it would be using:

Image 4

VPN Policy Routing

When using a VPN service with a DrayTek router that supports Policy Route, it is possible to set this to be used by local clients for internet access using the Policy Route facility. This can be configured to work either for the whole network or for specific Source / Destination IP addresses only.

This example will show how to send all internet traffic through the VPN tunnel. To configure it for specific traffic, alter the Source or Destination IP addresses of the Policy Route rule.

To configure the VPN profile for the VPN service, go to VPN and Remote Access – LAN to LAN and create a new VPN profile.
Make sure that the VPN is set to Dial-Out and has “Always On” ticked.
Under the Dial-Out settings, configure the details that your VPN provider will have supplied, the router can be configured to work with either PPTP or L2TP with IPSec:

Under the TCP/IP Network Settings section, set the VPN connection type to NAT mode instead of Routing mode:


Once that has been configured, the VPN connection should be visible under the VPN and Remote Access – Connection Management section.

To configure the router to use the VPN for internet access, go to Load Balance / Route Policy and click on Index #1 to make a new policy route; configure it as shown by selecting the VPN profile from the list of interfaces:


It is recommended to tick the “Auto failover to the other WAN” option so that internet access will still work if the VPN connection is unavailable.

Address Mapping

This facility was previously located under the NAT – Address Mapping menu on the router but is now integrated into the Policy Route feature; this does give more control over how it works because it can be set to an IP range rather than an IP address and subnet mask and it can specify which port is used if required.

To set up an Address Mapping rule, set the Source IP and select the WAN interface that has multiple IP addresses available (configured under WAN IP Alias), this will make the Interface Address option appear, then select the IP address to use. It may be useful to tick the “Auto Failover…” option so that internet access can still work for the IP address if the WAN interface with the alias address were to drop:
Image 5

Load Balancing

To set up a rule to send SMTP (TCP port 25) traffic through WAN1 only and only that WAN interface; create a rule, set the Protocol to TCP, leave the Source IP and Destination IP set to Any and set the Destination Port to 25 as both the Dest Port Start and Dest Port End. Untick the “Auto Failover…” option so that SMTP traffic would not send over WAN2 if the WAN1 interface were to drop:

Image 6

To set up a rule for specific local IP addresses to use a specified WAN interface; create a rule, set the Source IP to the local IP range and select the WAN interface that would be used. Tick the “Auto Failover…” option so that this IP range can still access the internet if WAN1 fails:

Image 7


How do you rate this article?

1 1 1 1 1 1 1 1 1 1

Comments

From: Mark Winpenny
06/01/2015

Agree with Graham's comment above about inter-LAN routeing. Each configured LAN (or LAN to LAN VPN) interface will require it's own rule before any WAN rules in the table as per rules 1 and 2 in the Policy Route Example above. If this is not done then, depending on other rules, the traffic between LANs may try to be routed via the WAN(s).

Even though it is mentioned maybe the notes about this feature being of a higher priority than the routeing table should be highlighted.


From: Graham Brown
17/12/2014

In my experience of inter-lan routing you need a return rule also otherwise the traffic reaches the destination but replies get routed by the catch all. I raised this with support months ago to have advice / documentation updated...