7.5  Policy routing

If the LAN is connected to the Internet by multiple links with load balancing (see chapter 6.4  Network Load Balancing), it may be needed that one link is reserved for a certain traffic, leaving the rest of the load for the other links. Such a measure is useful if it is necessary to keep important traffic swinging (email traffic, the informational system, etc.), i.e. not slowed down by secondary or even marginal traffic (web browsing, online radio channels, etc.). To meet this crucial requirement of an enterprise data traffic, it is necessary to consider and employ, besides the destination IP address, additional information when routing packets from the LAN to the Internet, such as source IP address, protocol, etc. This approach is called policy routing.

In WinRoute, policy routing can be defined by conditions in traffic rules for Internet access with IP address translation (NAT). This approach brings wide range of options helping to meet all requirements for routing and network load balancing.

Note: Policy routing traffic rules are of higher priority than routes defined in the routing table (see chapter 18.1  Routing table).

Example: A link reserved for email traffic

Let us suppose that the firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mailserver is also hosted. Therefore, it is desirable that all email traffic (SMTP, IMAP, POP3 protocols and their secured versions) is routed through this link.

Define the following traffic rules to meet these requirements:

  • First rule defines that NAT is applied to email services and the Internet 4 Mbit interface is used.

  • The other rule is a general NAT rule with automatic interface selection (see chapter 7.4  Basic Traffic Rule Types).

Policy routing — a link reserved for email traffic

Figure 7.30. Policy routing — a link reserved for email traffic


Setting of NAT in the rule for email services is shown in figure 7.31  Policy routing — setting NAT for a reserved link. It is recommended to allow use of a back-up link for case that the reserved link fails. Otherwise, email services will be unavailable when the connection fails.

Policy routing — setting NAT for a reserved link

Figure 7.31. Policy routing — setting NAT for a reserved link


Let us suppose that the mailserver provides also Webmail and CalDAV services which use HTTP(s) protocol. Adding these protocols in the first rule would make all web traffic routed through the reserved link. To reach the desired goal, the rule can be modified by reserving the link for traffic with a specific server — see figure 7.32  Policy routing — a link reserved for a specific server.

Policy routing — a link reserved for a specific server

Figure 7.32. Policy routing — a link reserved for a specific server


Note: In the second rule, automatic interface selection is used. This means that the Internet 4Mbit link is also used for network traffic load balancing. Email traffic is certainly still respected and has higher priority on the link reserved by the first rule. This means that total load will be efficiently balanced between both links all the time.

If you need to reserve a link only for a specific traffic (i.e. route other traffic through other links), go toConfiguration → Interfaces and set the speed of the link to 0 Mbit/s. In this case the link will not be used for load balancing. Only traffic specified in corresponding traffic rules will be routed through it.

Example: Optimization of network traffic load balancing

WinRoute provides two options of network traffic load balancing: per host (clients) or per connection (for details, refer to chapter 7.3  Definition of Custom Traffic Rules). With respect to variability of applications on individual hosts and of user behavior, the best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after failure (this may lead for instance to expiration of the session) or as an attack attempt (in that case the service can get unavailable).

This problem can be bridged over by policy routing. In case of “problematic” services (e.g. HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached.

Meeting of the requirements will be guaranteed by using two NAT traffic rules — see figure 7.33  Policy routing — load balancing optimization. In the first rule, specify corresponding services and set the per host NAT mode. In the second rule, which will be applied for any other services, set the per connection NAT mode.

Policy routing — load balancing optimization

Figure 7.33. Policy routing — load balancing optimization