DrayTek

Policy-based Routing

Many DrayTek Vigor routers are capable of Load Balancing traffic to make use of multiple Internet connections with the goal of increasing overall throughput (which has inherent backup / failover capability) or using the router's Failover functionality to use backup Internet connections.

Policy-based Routing is an enhanced form of Load Balancing with rules that define the interfaces that traffic is routed through.

With Policy-based Routing, the Interface (LAN, WAN & VPN) that packets are sent through is defined by matching rules with the the Local IP address, the Destination IP address and the Service Type (HTTP, Email etc) as Criteria.

If a match is found, the session is routed through that interface, similarly to how sessions matching specified criteria would be blocked or allowed by a Firewall. If the Interface is unavailable, Policy Routing has options for Failover to point traffic to other Policy Route rules or specific Interfaces.

Benefits of Policy-based Routing

Control Where Traffic is Sent Full control of LAN to WAN (Internet) traffic by defining which types of traffic (network & Internet) are sent where.
Full Granularity Apply Policy Route rules to the entire network, or specific IP addresses, ranges & subnets (VLANs) only.
Routing Through VPN Specify which traffic is sent through a VPN Tunnel, including Internet access.
NAT or Routing Either apply Network Address Translation (NAT) or Route packets to specified Internet connections.
Control Failover Control Failover paths and chain multiple Policy Routes to control the order in which Failover works.
Control Recovery Failback makes it possible to control how sessions are moved back across, either immediately or gradually.
Prioritise Routes Prioritise Policy Routes to easily manage the ordering of Policy Routes, or over-ride the Routing Table.
Direct Specific Traffic Force access to specified web-sites, Internet IP addresses or services such as Email & VoIP through a specified Interface or local Gateway.

 


Applications of Policy-Based Routing

There are many many applications for Policy-Based Routing, but to give a quick illustration below are 5 examples of how policy based routing could be used.

Apply Failover to specific Network Segments


The router's Failover functionality allows all devices on the network to use the backup connection by default and this could be undesirable in situations where bandwidth for the backup connection may be more expensive than the primary Internet connection, such as Satelllite or 4G network connections.

Backup connections may potentially have less bandwidth or throughput available, suitable to run critical services such as payment processing but not for streaming videos.

In these situations, Policy Route can limit access to the available backup connections, such as this example in which the Guest VLAN is not allowed access to the 4G backup Internet connection.

In the event that the primary VDSL Internet connection becomes unavailable, the Internal Network VLAN is able to use the 4G Backup Internet connection and immediately resume connectivity. The Guest network would be unable to use the 4G Backup Internet connection and would not have Internet access until the VDSL Internet connectivity is restored.


Forwarding Internet access through a Proxy Server


Policy Route can send specific Service Types such as Web traffic (HTTP, HTTPS) sessions to a different LAN Gateway address, instead of allowing direct Internet access for those services

This makes it possible to have the router enforce forwarding of Internet traffic to a Proxy Server or UTM (Unified Threat Management) device for scanning and access control, while non-Web traffic could go through to the Internet directly.

 

 


Use a VPN tunnel for Internet access


Policy Route allows sending Internet traffic, or any other specified traffic, through a VPN Tunnel instead of directly to the Internet. Specified Destination addresses (Web IP addresses or Website hostnames) or Service Types (types of Network traffic such as HTTP) can also be sent through VPN tunnels.

If the VPN is unavailable, a Failover route can be specified to pass the traffic through another VPN tunnel or an internet connection.

 


Address Mapping

Policy Routes can specify Alias IPs to send internet traffic through, such as specific local IP addresses, IP ranges or entire subnets use a specified Alias IP for internet access. Because Policy Routes can be set up for specific services, this also makes it possible to send only specific services with the Address Mapped IP, such as VoIP or SMTP & Email traffic.

Additionally, Failover and Failback options can be used so that devices using Address Mapping through the router would be able to use a backup internet connection if the Address Mapped IP is unavailable.

In this example, the 192.168.1.x IP addresses present the 198.51.100.154 address to the Internet.

The 192.168.2.x network presents 198.51.100.153 to the Internet.

When checking with a site that displays the user's Internet IP address, users will see the 198.51.100.153 or 198.51.100.154 addresses depending on which local network segment they are accessing from.


Providing a Backup connection for a Routed Internet connection

If an IP routed Internet connection, or a Private Routed connection from an ISP goes off-line, this would typically mean that the Routed Network segment will have no network access until that Internet connection comes back online.

IP Routing: With Policy Route's Failover and Failback options, Policy Routes could be configured to route traffic through the routed ISP normally and fail over to a backup Policy Route which would send Internet access through a backup internet connection and, importantly since the traffic would now be routed via a WAN that doesn't own/use these public IPs, apply Network Address Translation (NAT) to that traffic so that Internet access can operate for that network segment until the routed ISP is back online. When the routed connection is available again, the router would switch connectivity back to its normal routed Internet connection.

Routed Network: Should the primary connection go off-line, accessing the Routed Network could still be possible by failing over to a VPN tunnel that establishes over a backup Internet connection. When the Routed WAN resumes connectivity, Policy Route's Failback can move sessions back to the primary connection immediately or wait until existing sessions complete and establish new sessions over the primary connection.

 

 

How Policy-based Routing Works

How packets are sent out by a DrayTek Vigor router is typically decided by the router's Load Balancing system and the Routing Table, which is a list of IP subnets and Gateway Addresses to use to reach those networks. For instance, ISP Internet Gateways for Internet connections and LAN Gateways for Static Routes, where the router forwards traffic to another Router to access a specified network.

Policy Routing builds upon this by adding detailed criteria to define how packets are routed out through the router, making it possible to over-ride the routing table if required.

DrayTek's Policy-based Routing operates similarly to a Firewall but instead of blocking or allowing traffic through, it defines which Interfaces the router uses to send out-bound packets.

When the Criteria are matched, the router sends packets through the Interface specified in the matching Policy Route rule.

The options available with Policy-based Routing are:

Matching Criteria

Source Address
The Local IP Address that the rule applies to, it has options of:
Any to affect all Local IPs
Source IP Range to apply to a range of Local IPs, for instance 172.16.1.10 to 172.16.1.20
Source IP Subnet
to apply to a specified Network Subnet, for instance a Network IP of 192.168.1.0 with a Subnet Mask of 255.255.255.0 would apply the rule to 192.168.1.1 to 192.168.1.255
Destination Address

The Remote IP Address that the rule applies to, it has options of:
Any to affect all Remote IPs
Destination IP Range to apply to a range of Local IPs, for instance 203.0.113.195 to 203.0.113.197
Destination IP Subnet
to apply to a specified Network Subnet, for instance a Network IP of 198.51.100.89 with a Subnet Mask of 255.255.255.248 would apply the rule to 198.51.100.89 to 198.51.100.94

Coming Soon - Domain Name to apply to website hostnames

Service Type

This refers to the Protocol and Destination Port of the traffic

Protocol can be TCP (i.e. HTTP, SMTP), UDP (i.e. VoIP), TCP/UDP, ICMP (Ping)

Destination Port can be set to Any to apply to all ports of the specified Protocol type, or specified with a Start and End Port value to apply to a single port (i.e. TCP port 80) or a range of ports

Interface

WAN
Specify the WAN (Wide Area Network) or Internet connection that packets are sent through
This can have Network Address Translation (NAT) applied or be Routed to the remote network
LAN
Send specified packets to the specified LAN Interface
LAN - Gateway
Send specified packets to a Gateway available on the LAN, for instance another router or a proxy server
VPN
Send specified packets through a LAN to LAN VPN Tunnel established on the router

Priority

DrayTek Vigor routers assign Priority values for different types of routing, with 250 being the lowest priority and 0 being the highest priority.

The Routing Table has a fixed priority value of 150, which includes Inter-LAN Routing (sending traffic between VLANs on the DrayTek router), Static Routes and VPN Routes.

The Default Route of the router refers to the Internet connections available and the Load Balancing pool, which becomes available when the router has multiple Internet connections available. It has the lowest possible priority of 250.

A Policy Route rule has a default priority value of 200, which will over-ride the router's Load Balancing and default Internet connections. Because this value is lower priority than the Routing Table, this will not over-ride Static Routes or VPN Routes and traffic will be able to route between VLANs.

If the rule is configured with a higher priority, for instance a lower value such as 100, the Policy Route would be applied above all else, routing any matching traffic to the specified Interface, such as an Internet connection.

Priority is also decided in this order:

  1. Highest Priority value Policy Routes
  2. Policy Routes processed in order of the Policy Route table i.e. Rule 1 is highest priority, 50 is lowest
  3. Routing Table
  4. Default Route

Policy Route rules with a higher Priority value are processed before rules placed before them in the Policy Route table. Setting multiple Policy Route rules with the same priority value would then process those rules in order of their position in the Policy Route table.

In this example, the 3rd rule is processed before the 1st and 2nd rules because it has the higher Priority value:

Failover

When an Interface is unavailable, the path that packets take instead would typically be decided by the Priority ordering, which could be limiting or not make full use of available backup connections.

There may be situations where only specific devices are intended to use a Backup Internet connection, such as a costly 4G connection where bandwidth is metered, making it unsuitable for simply configuring the Internet connection as a Backup WAN interface or allowing it to be part of the Load Balancing Pool.

In such a situation, the Failover options make it possible to specify which network segments, IP addresses or traffic types would use the Backup Internet connection.

Each Policy Route rule has an option to specify the Failover action, making it possible to specify multiple backup paths.


Failback

The Failback option of a Policy Route rule defines how the router handles sessions going through a Failover Backup route when the Primary route is re-established.

With Failback disabled, the router will allow sessions to remain on the Backup route interface but new sessions will be established through the Primary route interface instead. This is less disruptive but can lead to the backup connection being in use for longer than it needs to be or using more data than intended.

When Failback is enabled, the router clears sessions from the Backup route interface so that it's no longer in use and clients can re-establish their sessions with the Primary route interface.

Policy Route Diagnostics

When configuring a number of Policy Routes, determining how packets are handled can become difficult and if packets are not routing as expected, finding which Policy Route is affecting the routing would require checking diagnostic logs from the router.

The Policy Route menu provides a web interface for testing, with the Diagnostics interface, virtual packets can be sent and the router will indicate which Route or Policy Route has matched that traffic and how it would then route:


The capability of any particular product will vary; please refer to specifications of each product for feature support.