Policy-based Routing


Many DrayTek Vigor routers are capable of Load Balancing traffic to make use of multiple Internet connections with the goal of increasing overall throughput (which has inherent backup / failover capability) or using the router's Failover functionality to use backup Internet connections.

Policy-based Routing is an enhanced form of Load Balancing with rules that define the interfaces that traffic is routed through.

With Policy-based Routing, the Interface (LAN, WAN & VPN) that packets are sent through is defined by matching rules with the the Local IP address, the Destination IP address and the Service Type (HTTP, Email etc) as Criteria.

If a match is found, the session is routed through that interface, similarly to how sessions matching specified criteria would be blocked or allowed by a Firewall. If the Interface is unavailable, Policy Routing has options for Failover to point traffic to other Policy Route rules or specific Interfaces.

Benefits of Policy-based Routing
Control Where Traffic is Sent Full control of LAN to WAN (Internet) traffic by defining which types of traffic (network & Internet) are sent where.
Full Granularity Apply Policy Route rules to the entire network, or specific IP addresses, ranges & subnets (VLANs) only.
Routing Through VPN Specify which traffic is sent through a VPN Tunnel, including Internet access.
NAT or Routing Either apply Network Address Translation (NAT) or Route packets to specified Internet connections.
Control Failover Control Failover paths and chain multiple Policy Routes to control the order in which Failover works.
Control Recovery Failback makes it possible to control how sessions are moved back across, either immediately or gradually.
Prioritise Routes Prioritise Policy Routes to easily manage the ordering of Policy Routes, or over-ride the Routing Table.
Direct Specific Traffic Force access to specified web-sites, Internet IP addresses or services such as Email & VoIP through a specified Interface or local Gateway.

Usage Examples

Applications of Policy-Based Routing

There are many many applications for Policy-Based Routing, but to give a quick illustration below are 5 examples of how policy based routing could be used.

Apply Failover to specific Network Segments

The router's Failover functionality allows all devices on the network to use the backup connection by default and this could be undesirable in situations where bandwidth for the backup connection may be more expensive than the primary Internet connection, such as Satelllite or 4G network connections.

Backup connections may potentially have less bandwidth or throughput available, suitable to run critical services such as payment processing but not for streaming videos.

In these situations, Policy Route can limit access to the available backup connections, such as this example in which the Guest VLAN is not allowed access to the 4G backup Internet connection.

In the event that the primary VDSL Internet connection becomes unavailable, the Internal Network VLAN is able to use the 4G Backup Internet connection and immediately resume connectivity. The Guest network would be unable to use the 4G Backup Internet connection and would not have Internet access until the VDSL Internet connectivity is restored.

Forwarding Internet access through a Proxy Server

Policy Route can send specific Service Types such as Web traffic (HTTP, HTTPS) sessions to a different LAN Gateway address, instead of allowing direct Internet access for those services

This makes it possible to have the router enforce forwarding of Internet traffic to a Proxy Server or UTM (Unified Threat Management) device for scanning and access control, while non-Web traffic could go through to the Internet directly.

Use a VPN tunnel for Internet access

Policy Route allows sending Internet traffic, or any other specified traffic, through a VPN Tunnel instead of directly to the Internet. Specified Destination addresses (Web IP addresses or Website hostnames) or Service Types (types of Network traffic such as HTTP) can also be sent through VPN tunnels.

If the VPN is unavailable, a Failover route can be specified to pass the traffic through another VPN tunnel or an internet connection.

Address Mapping

Policy Routes can specify Alias IPs to send internet traffic through, such as specific local IP addresses, IP ranges or entire subnets use a specified Alias IP for internet access. Because Policy Routes can be set up for specific services, this also makes it possible to send only specific services with the Address Mapped IP, such as VoIP or SMTP & Email traffic.

Additionally, Failover and Failback options can be used so that devices using Address Mapping through the router would be able to use a backup internet connection if the Address Mapped IP is unavailable.

In this example, the 192.168.1.x IP addresses present the address to the Internet.

The 192.168.2.x network presents to the Internet.

When checking with a site that displays the user's Internet IP address, users will see the or addresses depending on which local network segment they are accessing from.

Providing a Backup connection for a Routed Internet connection

If an IP routed Internet connection, or a Private Routed connection from an ISP goes off-line, this would typically mean that the Routed Network segment will have no network access until that Internet connection comes back online.

IP Routing: With Policy Route's Failover and Failback options, Policy Routes could be configured to route traffic through the routed ISP normally and fail over to a backup Policy Route which would send Internet access through a backup internet connection and, importantly since the traffic would now be routed via a WAN that doesn't own/use these public IPs, apply Network Address Translation (NAT) to that traffic so that Internet access can operate for that network segment until the routed ISP is back online. When the routed connection is available again, the router would switch connectivity back to its normal routed Internet connection.

Routed Network: Should the primary connection go off-line, accessing the Routed Network could still be possible by failing over to a VPN tunnel that establishes over a backup Internet connection. When the Routed WAN resumes connectivity, Policy Route's Failback can move sessions back to the primary connection immediately or wait until existing sessions complete and establish new sessions over the primary connection.

The capability of any particular product will vary; please refer to specifications of each product for feature support.