Interface-dependent filtering—in combination with policy-based routing—allows virtual routers to be defined for every interface:
Example:
Two separate IP networks are used by the Development and Sales departments. Both networks are connected to different switch ports although they use the same network '10.1.1.0/255.255.255.0'. Sales should be able to enter the Internet only, whereas Development should also have access to a partner company's network ('192.168.1.0/255.255.255.0').
The result is the following routing table (where the Development dept. has tag 2, Sales has tag 1):
| IP address | IP-Netmask | Rtg tag | Peer-or-IP | Distance | Masking | Active |
|---|---|---|---|---|---|---|
| 192.168.1.0 | 255.255.255.0 | 2 | PARTNER | 0 | No | Yes |
| 192.168.0.0 | 255.255.0.0 | 0 | 0.0.0.0 | 0 | No | Yes |
| 255,255,255,255 | 0.0.0.0 | 2 | INTERNET | 2 | Yes | Yes |
| 255,255,255,255 | 0.0.0.0 | 1 | INTERNET | 2 | Yes | Yes |
If Development and Sales were in IP networks with different address ranges, then it would be no problem to assign the routing tags with firewall rules. Since both departments are in the same IP network, the only available method of assignment is with network names.
Tag assignment can be carried out directly in the network definition:
| Network name | IP address | Netmask | VLAN ID | Interface | Source check | Type | Rtg-Tag |
|---|---|---|---|---|---|---|---|
| DEVELOPMENT | 10.1.1.1 | 255.255.255.0 | 0 | LAN-1 | Strict | Intranet | 2 |
| SALES | 10.1.1.1 | 255.255.255.0 | 0 | LAN-2 | Strict | Intranet | 1 |
Alternatively the assignment of tags can be carried out with a combination of network definitions and firewall rules. The networks are defined as follows:
| Network name | IP address | Netmask | VLAN ID | Interface | Source check | Type | Rtg-Tag |
|---|---|---|---|---|---|---|---|
| DEVELOPMENT | 10.1.1.1 | 255.255.255.0 | 0 | LAN-1 | Strict | Intranet | 0 |
| SALES | 10.1.1.1 | 255.255.255.0 | 0 | LAN-2 | Strict | Intranet | 0 |
Routing tags can be used to define the following firewall rules:
| Name | Protocol | Source | Destination | Action | Linked | Prio | (...) | Rtg tag |
|---|---|---|---|---|---|---|---|---|
| DEVELOPMENT | ANY | %Ldevelopment | ANYHOST | %a | Yes | 255 | 2 | |
| SALES | ANY | %Lsales | ANYHOST | %a | Yes | 255 | 1 |
Important for these rules is the maximum priority (255) so that these rules are always checked first. Since filtering is still possible by services, the option "Linked" has to be set in the firewall rule.
