Policy routing, also known as policy-based routing, refers to cases where the routing of traffic is based on criteria other than the destination network. A variety of criteria can be used to determine what route traffic takes, such as source or destination network, source or destination address or port, protocol, packet size, and many others. Basically, any criteria which can form the basis of a firewall rule can form the basis of policy routing. It is used often in multi-WAN setups, in cases where we want to direct traffic to a specific WAN interface based on certain criteria, but there are other cases where we might want to use policy routing as well.
You may recall in previous chapters, we sometimes had occasion to create a rule which directed traffic to a gateway other than the default gateway. We can use this ability to choose a gateway to implement policy routing. The process can be summarized as follows:
- Create one or more alternate gateways
- Create a firewall rule specifying certain criteria (the policy part of policy routing)
- Select a gateway to which traffic matching the rule will be sent
Since we already discussed policy-based routing in the previous chapter, we will not get involved in a detailed discussion here, but it might be helpful to provide an example. Assume that we have a multi-WAN setup. WAN is our default gateway, but WAN2 provides a gateway to a secondary internet connection. We want to use WAN2 for video streaming with the Real-Time Transport Protocol (RTP) from the LAN network. The video streaming client will always be using port 554 to send video, and will utilize UDP only. We will also be using port 555 for the Real-Time Control Protocol (RTCP), which monitors the RTP session, but we do not need to re-route this traffic.
The first step is to navigate to System | Routing and confirm that WAN2 is already configured as a gateway (on the Gateways tab). As you may recall from our previous discussion of gateway groups, WAN-type interfaces that are configured to get their IP address from an upstream DHCP server are automatically configured as gateways. If not, we must click on the Add button and create a WAN2 gateway. The Interface drop-down box should be WAN2 and the interface's IP address should be entered in the Gateway edit box. You must also enter a name in the Name field; you may enter a brief description in the Description field as well. Click on Save when you have finished making changes and click on Apply Changes on the main routing page.
Next, navigate to Firewall | Rules and click on the LAN tab. In cases where we need to implement policy routing on multiple interfaces and/or in both directions, then creating a floating rule would be more appropriate. Since we only need to redirect traffic in one direction and on a single interface, however, we will not create a floating rule. Click on the Add button on the LAN tab to create a new rule.
On the rule configuration page, keep the Action column as Pass and Interface as LAN. Change Protocol to UDP. Since the traffic's source will be the LAN net, choose LAN net in the Source drop-down box. Set Destination port range to 554.
We have correctly set the matching criteria; now we just have to select a gateway. Click on the Show Advanced button, then scroll down the page, and in the Advanced Options section, the Gateway option should be third from the bottom.
Select the WAN2 gateway in the drop-down box. You could also use Ackqueue/ Queue to assign the traffic to a high-priority queue if you have traffic shaping configured. You can enter a description in the Description field for your own reference (for example, Policy routing for video streaming client), and click on the Save button). On the main rules page, make sure the newly created rule appears in the table before the default allow LAN to any rule, as well as any other rule which would match the traffic. If it does not appear before these rules, drag it above them, then click on the Apply Changes button. We have now implemented a form of policy routing for our video streaming client.
This is just a single example of policy routing; there are many other real-world applications for such routing. Another example might be if we had a web cache proxy on another router, and directed all of our HTTP and HTTPS traffic on ports 80 and 443 to this router. Also, our example demonstrated how to use pfSense for policy routing, but in a real-world scenario, such tasks might be delegated to a policy-based routing-aware level three switch.