This Policy Route guide will show you how to handle Routing on a USG/ATP. It will show you examples of the most common scenarios like SNAT, route traffic through a specific WAN interface and route traffic through a VPN tunnel.
Use policy routes to override the default routing behavior in order to send packets through the appropriate interface and/or VPN tunnel(s).
Traditionally, routing is based on the destination address only and the USG/ATP takes the shortest path to forward a packet. IP Policy Routing provides a mechanism to override the default routing behavior
and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on an interface, prior to the normal routing.
Below are examples for some of the most common scenarios.
Routing Internal Traffic Through Specific WAN
Depending on your implementation, you may be using multiple internet connections and multiple internal networks (LAN1 and Guest for example). To optimize the internal networks (LAN1) performance you may want to force this traffic through the faster most reliable internet connection while guest use a slower internet connection. This can be achieved by creating two policy routes, one to send LAN1's traffic out the fast internet connection and the second to send the guest traffic out the slower connection.
For this example WAN1 is the fast connection and WAN2 is the slower internet connection.
Note: Check the “Disable policy route automatically while Interface link down” to have the route disable automatically, if the configured WAN interface is down to use the other WAN interface as backup.
Create a second rule for the Guest network (whether it be LAN2, DMZ, a bridge interface or VLAN) using WAN2 for the Next-Hop.
Route Traffic Through VPN
The USG/ATP unfortunately can only route one network subnet or a range of consecutive IP addresses through the VPN. If your network has a 192.168.1.0/24, a 172.16.0.0/24 and a 10.0.0.0/24 as network
subnets and need to route all three through a VPN tunnel, this wouldn't be possible based on the VPN limitations of the USG/ATP.
Creating a policy route to route the traffic from the other local networks through the VPN tunnel would be a workaround. The remote network behind the VPN can be reached with this policy route.
The example below will route traffic from the LAN2 subnet destined for the remote subnet through the specified VPN tunnel.
Note: The other side has to set up a route for the way back too.
SNAT (Source Network Address Translation) Routing
If you have multiple public IP addresses leased by the internet service provider and you need the mail server to send out traffic using one of these addresses. You can create a policy route to send
all traffic from the mail server out the WAN using a specific public IP of the leased block.
First create address objects for the private IP address and public IP address of the mail server.
You can create the objects under:
Configuration -> Object -> Address
Object of the public IP for our example
Object of the private IP for our example
Create the policy route as follows: