Expired

IX. NAT Related Features

Expired

Policy Routing with Metrics - Load Balancing, Address Mapping and VPN Routing

Products:

Show all

Keywords:

Show all

The Policy Route feature on DrayTek routers allows for far more control over the routing of out-bound traffic compared to the previous [WAN] > [Load Balance Policy] and [NAT] > [Address Mapping] menus.

Read this article for more information on what Policy Route can do and how it works.

Policy Routes make it possible to send traffic based on Destination or Source IP range, or port/service type through any available interface and specify failover routes should the original route be unavailable, which allows for routing specific traffic or specific local IPs through a VPN tunnel for instance, or traffic to a specified subnet through another gateway on the network. It also allows Address Mapping to fail over to other WAN interfaces and define specific traffic, so that address mapping could be used for just SMTP traffic.

With the 3.7.8 firmware, the Vigor 2860 and Vigor 2925 routers now have the ability to specify the Metric used by each Policy Route entry, so that these rules can be either higher or lower priority than the routing table, which simplifies the setup compared to the previous implementation, where Policy Route rules would over-ride the routing table in all cases.

The intention of this guide is to describe how Policy Route works and best practices with it to avoid pitfalls.
It is recommended to set the [Load Balance/Route Policy] page to “Advance Mode” so that the settings match the ones shown in the guide.

Metrics and Priority

The DrayTek routers that implement metrics for policy route using the metric to decide which of the matching rules or route entries should apply to a packet being routed.

The priority metric is a value between 0 - 250 and uses 0 as the highest priority and 250 as the lowest priority.

Pre-set metric values are used for different route types on the router:

150 - Static Routes
150 - Inter-LAN Routes
150 - VPN Routes
200 - Default priority for new Route Policy rules (configurable)
250 - Default Route - This is the auto Load Balance pool on the router (configured by enabling "Load Balance" on a WAN under [WAN] > [General Setup])

Routing decisions on the router are based on the following:

1. The packets Destination IP matches a route entry or the packet matches a Router Policy Rule

2. If multiple rules/routes match then the rule or route with the highest priority is used.

3. If there are multiple rules/routes with the same priority, they are processed in the order that they appear in the Route Policy table.

Example 1: If a route policy rule to put all traffic through WAN2 has its priority set to 100, it would over-ride the routing table and any traffic, including traffic meant for Inter-LAN or VPN communication would also route through WAN2.

If that route policy rule was reconfigured with a priority of 200, it would have a lower priority than the routing table - internet traffic would go through WAN2 as expected and any Inter-LAN or VPN traffic would be routed through the correct interfaces.

Example 2: If there are multiple rules that could match a possible routing decision, they are processed in order of priority first of all:

With this setup if 192.168.1.10 accesses the internet, Rule 3 would be processed first because it has higher priority. If that rule was disabled, both Rule 1 and Rule 2 have the same priority so Rule 1 would be processed first, because of their ordering in the Route Policy table.

Load Balancing

The DrayTek routers with multiple WAN interfaces will automatically load balance traffic if there are multiple WAN interfaces active. This is session based load balancing which means that a single session i.e. a file download will be assigned to an available WAN interface upon starting that download. This method works best with multiple sessions, for instance a multi-user environment or where multiple sessions are created so that the router can assign those to the available WAN interfaces fairly or depending on how the load balancing settings are configured for the WAN interfaces.

It is possible to bypass the router's load balancing, for instance where you would want a specific range of local computers to use only WAN1. To do this, go to [Load Balance/Route Policy] and create a new rule by clicking on an un-used Index number. That will show the following screen:

In this example, the Source IP address has been specified as a range. The Protocol setting is left on its default of Any so that it affects all traffic types. The Destination is set to Any so that it applies to all outbound traffic. The Interface is specified as WAN1 so that all internet traffic from those IPs will go over the WAN1 interface.

Please note that this example does not need to alter the default Priority setting of 200, so the rule will not over-ride the routing table and will not affect Inter-LAN Routing or VPN routing.

Click OK on that page to save and apply the rule - any new sessions will go over the WAN1 interface.

To set up a rule to send SMTP (TCP port 25) traffic through WAN1 and only that WAN interface, which would be useful in a scenario where a mail server must use a specific IP to be allowed to work with a mail filter service for instance:

Create a rule, set the Protocol to TCP, leave the Source IP and Destination IP set to Any and set the Destination Port to 25 as both the Dest Port Start and Dest Port End.

Click on the More Options text to expand that section; make sure that the Failover to option is unticked so that the rule will stop traffic from going through other WAN interfaces in the event that the WAN1 interface goes offline.

VPN Routing

The Policy Route facility makes it possible to route only specific traffic through VPN tunnels, where the previous implementation would put all internet traffic through a VPN if configured. In this example, only computers in the IP range of 192.168.10.20 to 192.168.10.30 will put internet traffic through a VPN tunnel.

To do that, create a new policy route rule, specify the Source IP setting as a range and specify the IP range to use.

The Destination IP and Destination Port are set to Any so that the rule will affect all outbound internet traffic from that IP range.

Select the VPN radio button and select the VPN tunnel to use from the list of VPNs available on the router.

Address Mapping

Address Mapping is used to specify the outbound WAN IP address used by LAN clients, which is useful in instances where a server needs to use a specific internet IP address, different from the one that the router uses for general internet traffic.

This facility was previously located under the NAT – Address Mapping menu on the router but is now integrated into the Policy Route feature; this does give more control over how it works because it can be set to an IP range rather than an IP address and subnet mask and it can specify which port is used if required.

To use Address Mapping, the router first needs to be configured with an Alias IP address, which is an IP address that's usually part of a public subnet. This needs to be configured from [WAN] > [Internet Access], then the Details Page of the WAN interface with the additional IP addresses available. On that page, click the WAN IP Alias button:

This will bring up a pop-up window to add the additional addresses, tick Enable for the additional IP address, enter it in the Aux. WAN IP field and do not tick Join NAT IP Pool because that would allow the IP address to be used for normal NAT traffic. Click OK on that window and close it to apply that address.

With that configured, the Policy Route rule can be configured. Go to [Load Balance/Route Policy] and select an un-used Index number:

Set the Source IP address of the server / device that will use this public IP, select the WAN interface that has multiple IP addresses available, this will make an additional drop down box appear with the additional public IP addresses available, then select the IP address to use.

If the rule will be lower in the list of Route Policy rules than existing rules that could apply to that server, move the Priority slider from its default of 200 to a value such as 175, which will allow that rule to apply instead of existing rules. It is recommended to use that value or a value above 150 to avoid the rule over-riding the routing table, which could cause other issues.

Expand the More Options section to specify a failover interface for the rule should the WAN interface go offline.

Click OK for that rule and any new sessions from that local IP address will use the specified WAN IP address.

It is also possible to create an Address Mapping rule that applies only to specific traffic. In this example, the address mapping applies only to SMTP traffic - the rule is set up in the same way but the Protocol is set as TCP and the Destination Port is specified as 25 as both the start and end port:

Failover

The Failover behaviour is more controllable with the new implementation of Policy Route, it can now specify the failover interface and supports Failback (described below with a usage example).

To change the failover behaviour for a policy route rule, create the rule as normal and expand the More Options section to see the additional options, it can then be set to fail over to another WAN interface. In this example, the Default WAN is the router's pool of WAN interfaces that have load balancing enabled:

The Failback option means that it can now specify whether or not sessions will remain on the failover WAN interface in the event that the original WAN comes back online. With previous firmware, the behaviour was that any sessions created on the failover WAN interface would stay on that interface, this can be considered as a "soft failback" option because any new sessions would establish over the original WAN interface, so traffic would slowly go back to the original WAN interface.

If the Failback option is enabled, the router will drop any sessions that match the policy route rule, that have been created since the interface failed over so that they can re-establish on the original WAN interface immediately.

The implementation of this is such that the router would only drop the sessions that match criteria of the policy route rule with the Failback option specified. This can be useful in a scenario such as a dual WAN router with phones connected to it that register to a hosted PBX system using the SIP protocol. In this example, phones in the IP range of 192.168.10.100 to 192.168.10.120 registering on UDP port 5060 use WAN1 for registration normally. If the WAN interface drops, it will send that traffic through WAN2.

If WAN1 comes back online; because the Failback option is enabled, the router will drop any UDP port 5060 sessions created by 192.168.10.100-192.168.10.120 so that they can re-register on WAN1 and any future calls would go through WAN1 as normal. This would not affect any calls in progress on the WAN2 interface because that traffic uses a separate RTP protocol, on a different port range, which the router would not drop.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

: First Published: 31/12/2014; Last Updated: 22/04/2021

Share this link