Policy Route is a feature in Nebula Security Gateways which lets you forward traffic in a specific manner, dependent on parameters such as Source & Destination IP, Protocols, etc.
This will allow you to forward traffic in ways the NSG normally would not handle in the default way.
Mechanisms/Limitations of this feature:
1. The maximum number of Policy Routes per site depends on the firewall model and equal to its index (50 for NSG50, 100 for NSG100 etc.).
2. Three types of Policy Route:
(1)Internet
(2)Intranet
(3)VPN
3. Routing Hierarchy: Direct Routes > Policy Routes > Static Routes
4. Policy Route order can be rearranged.
Where to configure:
You may find it on
Site-wide > Firewall > Configure > Policy Route
to configure.
Example screenshot for Policy Route:
Scenario and Example for three types of Policy Route:
1) The scenario for the Internet:
LAN "192.168.100.1" has to access the Internet via WAN 2(ISP 2)
Example of the configuration:
2) The scenario for Intranet:
Only hosts in LAN "192.168.2.0/24" can reach LAN "192.168.10.0/24".
Only Router 192.168.1.33 knows where LAN "192.168.10.0/24" is.
Note: The Intranet policy route type is without SNAT.
Example of the configuration:
3) The scenario for VPN: (Nebula to Non-Nebula Peer VPN Policy Routes)
The host 192.168.37.33 wants to communicate to another host 192.168.2.33 which subnet does not use VPN on the remote site.
Example of the configuration:
Note: Policy Routes must be removed before changing, disabling VPN Topology or unregister NSG from that site.
Also interesting:
Do you want to have a look directly at one of our test devices? Have a look here in our virtual Lab: