Policy-based routing does not rely exclusively upon the destination IP address to define the destination route (i.e. the remote device to be used for transferring the data). Further information can be used—such as the service or the protocol used, sender addresses, or the destination for the data packets—to select the destination route. Policy-based routing can be used to achieve a significantly finer-grained routing behavior, such as in the following application scenarios:
- The LAN’s entire Internet traffic is diverted to a proxy without entering the proxy address into the browsers. As the users do not notice the proxy routing, the scenario is named "transparent" proxy.
- With load balancing, the data traffic for selected protocols is diverted over a certain DSL port that uses an additional external ADSL modem.
- A server in the local network is routed via a specific WAN interface as it needs to be accessible from the WAN at a fixed IP address.
- VPN traffic is forwarded to a VPN tunnel with dynamic end points by using the routing tag '0'; the company's remaining Internet traffic is diverted to another firewall by means of another suitable routing tag.
In order for channel selection to be decided according to information other than just the destination IP address, suitable entries can be made in the firewall. These entries are supplemented with a special "routing tag" that is used to control the channel selection with the routing table. For example, a rule adds the routing tag ‘2’ to the entire data traffic for a local group of computers (defined by an IP address range). Alternatively, certain protocols receive a different supplementary routing tag.
The diagram demonstrates the application of policy-routing with load balancing:
- When establishing a connection, the firewall initially checks if the packets for transmission fit to a rule which contains a routing tag. The routing tag is entered into the data packet.
- The IP routing table combines the routing tag and destination IP address to determine the appropriate remote site. The IP routing table is processed from top down in the usual fashion.
- If an entry is found corresponding to the network, then the second step is to check the routing tag. The required remote site can be found with the help of the appropriate routing tag. During load balancing, the device can use the remote site from the list of remote sites/peers to determine the correct DSL port.Note: If the routing tag has a value of "0" (default) then the routing entry applies to all packets.
- Internal services implicitly use the default tag. If the user wishes to direct the default route through a VPN tunnel with a dynamic tunnel endpoint, for example, then the VPN module uses the default route with the routing tag "0" as standard. To direct the default route through the VPN tunnel anyway, create a second default route with routing tag "1" and the VPN remote site as router names. With the appropriate firewall rule you can transfer all services from all source stations to all destination stations with routing tag "1".
- Routing tags and RIP: The routing tag is also sent in RIP packets and evaluated upon receipt, so you can, for example, change the distances in the correct routes.
