Policy-based routing

Policy-based routing does not rely exclusively upon the destination IP address to define the destination route (meaning the remote device that is to be used to transfer the data). Further information can be used-such as the service or the protocol used, sender addresses or the destination for the data packets-for the selection of the destination route. Policy-based routing can be used to achieve a significantly finer-grained routing behavior, such as in the following application scenarios:

• The LAN's entire Internet traffic is diverted to a proxy without entering the proxy address into the browsers. As the users do not notice the proxy routing, the scenario is named "transparent" proxy.

• With load balancing, the data traffic for selected protocols is diverted over a certain DSL port that uses an additional external ADSL modem.
• A server in the local network is only supposed to be accessible from the WAN via a fixed IP address; this is routed via a certain WAN interface.
• VPN traffic is forwarded to a VPN tunnel with dynamic end points by using the routing tag '0'; the company's remaining Internet traffic is diverted to another firewall by means of another suitable routing tag.

Suitable entries can be made in the firewall to select channels according to information other than just the destination IP address. These entries are supplemented with a special routing tag that is used to control the channel selection with the routing table. For example, a rule adds the routing tag '2' to the entire data traffic for a local group of computers (defined by an IP address range). Alternatively, certain protocols receive a different supplementary routing tag.

The diagram demonstrates the application of policy-based routing with load balancing:

• When establishing a connection, the firewall initially checks if the packets for transmission fit to a rule which contains a routing tag. The routing tag is entered into the data packet.
• The IP routing table combines the routing tag and destination IP address to determine the appropriate remote station. The IP routing table is processed from top down in the usual fashion.
• If an entry is found corresponding to the network, then the second step is to check the routing tag. The required remote station can be found with the help of the appropriate routing tag.
  Note: If the routing tag has a value of "0" (default) then the routing entry applies to all packets.
• Internal services implicitly use the default tag. If the user wishes to direct the default route through a VPN tunnel with a dynamic tunnel endpoint, for example, then the VPN module uses the default route with the routing tag "0" as standard. To direct the default route through the VPN tunnel anyway, create a second default route with routing tag "1" and the VPN remote station as router names. With the appropriate firewall rule you can transfer all services from all source stations to all destination stations with routing tag "1".
• Routing tags and RIP: The routing tag is also transmitted in RIP packets for processing upon reception, so that, for example, the change in distances in the proper route can be changed.