6.5. Policy-based Routing

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

Overview

Policy-based Routing (PBR) is a routing feature that provides administrators with significant flexibility in implementing routing policies by being able to use different routing tables for different traffic flows.

Normal routing forwards packets based on the destination IP address using information derived from statically configured routes or from dynamic routes added during runtime by features such as IPsec or OSPF. Instead, policy-based routing allows routes to be chosen based on other traffic characteristics in addition to the destination IP.

Policy-based routing allows the following:

Source-based Routing

A different routing table can be chosen based on the source interface and/or source IP address of the traffic. For example, when more than one ISP is used to provide Internet services, policy-based routing can route traffic originating from different sets of users through different routes.

When filtering on source IP address, traffic from one address range might be routed through one ISP while traffic from another address range might be routed through a second ISP. The same can be applied for the source interface.

Destination-based Routing

A different routing table can be chosen based on the destination network of traffic.

Destination-based routing can be combined with source-based routing so both source and destination is used to determine the routing table to use.

	Note
	As the destination interface is unknown until the route lookup has been done, policy-based routing cannot be based on the destination interface.

Service-based Routing

A routing table can be chosen based on the traffic Service, meaning the transport protocol such as TCP or UDP, together with the source and/or destination port numbers. Policy-based routing can therefore route a given protocol, such as HTTP, through proxies such as Web caches. Specific services might also be routed through a specific ISP so that one ISP handles all SNMP traffic.

Service-based routing can be combined with source-based and/or destination-based routing so that all three are considered when choosing a routing table.

Policy-based Routing Components

Policy-based routing in cOS Stream is implemented using two configuration components:

Alternate Routing Tables

The administrator defines one or more alternate RoutingTable objects in addition to the default main routing table.

These are also sometimes referred to in documentation as Named Routing Tables.
Routing Rules

One or more RoutingRule objects are created to determine which routing table to use for which traffic.

cOS Stream provides a predefined parent object called PBRRules to which RoutingRule objects are added.

Creating Alternate Routing Tables

cOS Stream has one predefined routing table called main. In addition to the main table, it is possible to define one or more, additional routing tables for policy-based routing. These will also be referred to in this document as alternate routing tables.

Alternate routing tables contain the same information for describing routes as main. Additionally, they have an extra property called Ordering. The Ordering property decides how route lookup is performed using alternate tables in conjunction with the main routing table. This is described further under the heading "The Ordering Property" below.

Example 6.7. Creating an Alternate Routing Table

In this example, a new routing table called my_pbr_table is created with the Ordering property set to First.

Command-Line Interface

To create the routing table:

System:/> add RoutingTable my_pbr_table Ordering=First

Example 6.8. Adding Routes to an Alternate Routing Table

After defining the routing table MyPBRTable, routes can be added to the table. Assume that the route to a network my_network is to be defined for the if3 interface.

Command-Line Interface

First, change the CLI context to be the routing table:

System:/> cc RoutingTable my_pbr_table

Now, add the route:

System:/RoutingTable/my_pbr_table> add Route
			Interface=if3
			Network=my_network

Finally, change back to the default CLI context:

System:/RoutingTable/my_pbr_table> cc
System:/>

Creating Routing Rules

A RoutingRule object in the routing rule set can decide which routing table is selected. By default, there is a single routing rule set defined in cOS Stream which has the object name PBRRules and all routing rules are added to it as children.

A RoutingRule has a number of filtering properties that are similar to those used in an IP rule. A rule can trigger on a type of service (HTTP for example) in combination with the specified source interface and source/destination network. Routing rules cannot be filtered on destination interface as it would not be known before route lookup.

When looking up routing rules, the rule set is searched from top to bottom and it is the first matching rule found that is triggered.

Example 6.9. Creating a Routing Rule

In this example, a routing rule called my_routing_rule is created. This will select the routing table my_pbr_table for any http traffic destined for the network my_network.

Command-Line Interface

First, change the context to be the routing rule set:

System:/> cc PBRRules

Next, add the routing rule:

System:/PBRRules> add RoutingRule
			Service=http
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationNetwork=my_network
			ForwardRoutingTable=my_pbr_table
			ReturnRoutingTable=my_pbr_table
			Name=my_routing_rule

This current contents of the routing rule set can be listed:

System:/PBRRules> show

RoutingRule

  # Name Source interface Source network Destination network Service
  - ---- ---------------- -------------- ------------------- ------------
+ 1 my   any              all-nets       my_network          http

Finally, change back to the default CLI context:

System:/PBRRules> cc
System:/>

Routing Rules can use IPv4 or IPv6 Addresses

Routing rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties.

However, both the source and destination network must be either IPv4 or IPv6. It is not permissible to combine IPv4 and IPv6 addresses in a single rule. For further discussion of this topic, see Section 5.4, IPv6 Support.

For this reason it is recommended to not use the all-nets address object in a routing rule. It is better to use either all-nets-ip4 or all-nets-ip6 so that it is clear what kind of IP addresses the rule applies to.

The Forward and Return Routing Table can be Different

In most cases, the routing table for forward and return traffic will be the same. However, in some cases it can be advantageous to have different values.

Consider the example of a firewall with two hypothetical interfaces wan1 and wan2 connected to two ISPs and with a protected network if1_net on the if1 interface. All IP addresses are assumed to be IPv4.

Assume, that there are two routing tables, the main routing table and an alternate routing table called isp2_rt. The contents of these tables are shown below:

The main routing table

Index #	Interface	Network	Gateway
1	if1	if1_net
2	wan1	all-nets-ip4	isp1_ip

The isp2_rt routing table

Index #	Interface	Destination	Gateway
1	wan2	all-nets-ip4	isp2_ip

If traffic coming through wan2 is to have access to if1_net then a routing rule needs to be defined as follows:

Source Interface	Source Network	Destination Network	Forward Routing Table	Return Routing Table
wan2	all-nets-ip4	if1_net	main	isp2

This rule allows the forward traffic received through the wan2 interface to find the route for if1_net in the main routing table. The return traffic will use the isp2_rt table so it can reach the initiator of the flow.

With IPv4, this example would most likely have some address translation rules since if1_net will probably be a private IP network. For simplicity, these details have been omitted.

Interface Routing Table Membership

If a particular routing table is to be always used for traffic from a given source interface, regardless of the service, it is possible to associate the source interface explicitly with a particular routing table using the Routing Table Membership property of the interface.

The difference with this method of explicit association is that the administrator cannot specify the service, such as HTTP, for which the lookup will apply. Routing rules allow a more fine-grained approach to routing table selection by being able to also select a specific service and network filter.

The Routing Table Selection Process

When a packet corresponding to a new flow first arrives, these are the processing steps taken to determine which routing table to use:

The routing rules are looked up first. A search is made for a routing rule that matches the packet's source interface, source/destination network as well as service. If a matching rule is found then this determines the routing table to use.
If no matching routing rule is found, a check is made to see if the receiving interface is a member of a specific routing table. If the interface is associated with a particular routing table through its Routing Table Membership property, that routing table will be used. If there is no membership then the main table will be used.

The Ordering Property

When route lookups are to be performed in an alternate routing table, the Ordering property of the table decides how the alternate table is combined with the main routing table to lookup the route.

The three available options for the Ordering property are:

First

With this option, route lookups will first of all be done in the alternate routing table. If no matching route is found there, the lookup will continue in the main routing table.

Note that if a default route (a route with all-nets-ip4 or all-nets-ip6 as the network) is found in the alternate table, it will be counted as a match.
Last

The behavior for this option is to start the route lookup in the main table. If no matching route is found, or the default route is found, a lookup for a matching route in the alternate table is performed. If no match is found in the alternate table then the default route in the main table will be used.
Only

Route lookups will only be done in the alternate routing table. The existence of any other table is ignored. This is the default behavior.

This option gives the administrator a way to dedicate a single routing table to one set of interfaces.

	Important: Check that a default route exists
A common mistake when setting up policy-based routing with First or Last ordering is the absence of a default route with a destination network of all-nets-ip4 or all-nets-ip6 in the main routing table. If there is no matching route, the absence of a default route will mean that the traffic will be dropped. The need for a default route applies regardless if the routing table is selected by using a routing rule, or by using the RoutingTableMembership property.

Important: Check that a default route exists

A common mistake when setting up policy-based routing with First or Last ordering is the absence of a default route with a destination network of all-nets-ip4 or all-nets-ip6 in the main routing table. If there is no matching route, the absence of a default route will mean that the traffic will be dropped.

The need for a default route applies regardless if the routing table is selected by using a routing rule, or by using the RoutingTableMembership property.

Setting Up Policy-based Routing with Multiple ISPs

A multiple ISP scenario is a common use of policy-based routing. Consider the situation where there are two protected networks, if1_net and if2_net, on a Clavister NetShield Firewall connected to the interfaces if1 and if2 respectively.

Now, suppose that are two different ISPs, ISP A with the gateway address isp_A_gw, and ISP B with the gateway address isp_B_gw. These ISPs are connected to the firewall interfaces wan1 and wan2 respectively.

The requirement is to have hosts and clients on if1_net use only ISP A for Internet connection. Similarly, if2_net is to use only ISP B.

The contents of the main routing table will be as follows:

Interface	Network	Gateway
if1	if1_net
if2	if2_net
wan1	all-nets-ip4	isp1_gw_ip

An alternate routing table rt2 is created with the following entry:

Interface	Network	Gateway
wan2	all-nets-ip4	isp2_gw_ip

The table rt2 has its Ordering property set to Last, which means that it will only be consulted if a lookup in the main routing table gives a match with the default all-nets route.

The policy-based routing rule set contains a single rule that triggers on traffic coming from the if2_net network bound for the public Internet:

Source Interface	Source Network	Destination Network	Selected Service	Forward RoutingTable	Return Routing Table
if2	if2_net	all-nets-ip4	all_services	rt2	rt2

When the configuration objects listed above are created, the result is that flows originating from clients and hosts on if1_net and if2_net to the public Internet will be routed to the intended ISP.

Although routed correctly, the appropriate IPRule objects that are needed to allow these flows have been omitted from the description above.