Configuring policy routing
Article Number: 1314 | Last Updated: Thu, Aug 6, 2015 11:55 AM
Policy routing overview
This article is designed for administrators.
If the LAN is connected to the Internet by multiple links with load balancing, it may be necessary to force certain types of traffic out a particular Interface. For example, sending VoIP traffic out a different Interface than your web browsing or streaming media. This approach is called policy routing.
In Kerio Control, policy routing can be defined by conditions in traffic rules for Internet access with IP address translation (NAT).
Policy routing traffic rules are of higher priority than routes defined in the routing table.
Configuring a preferred link for email traffic
The firewall is connected to the Internet by two links with load balancing with speed values of 4 Mbit/s and 8 Mbit/s. One of the links is connected to the provider where the mailserver is also hosted. Therefore, all email traffic (SMTP, IMAP and POP3) is routed through this link.
Define traffic rules:
Setting of NAT in the rule for email services is shown in figure below. Allow use of a back-up link in case the preferred link fails. Otherwise, email services will be unavailable when the connection fails.
In the second rule, automatic interface selection is used. This means that the Internet 4 Mbit link is also used for network traffic load balancing. Email traffic is certainly still respected and has higher priority on the link preferred by the first rule. This means that total load will be efficiently balanced between both links all the time.
If you need to reserve a link only for a specific traffic type (i.e. route other traffic through other links), go to Interfaces and uncheck the Use for Link Load Balancing option. In this case the link will not be used for automatic load balancing. Only traffic specified in corresponding traffic rules will be routed through it.
Configuring an optimization of network traffic load balancing
Kerio Control provides two options of network traffic load balancing:
The best solution (more efficient use of individual links) proves to be the option of load balancing per connection. However, this mode may encounter problems with access to services where multiple connections get established at one moment (web pages and other web related services). The server can consider source addresses in individual connections as connection recovery after failure or as an attack attempt.
This problem can be bridged over by policy routing. In case of problematic services (e.g. HTTP and HTTPS) the load will be balanced per host, i.e. all connections from one client will be routed through a particular Internet link so that their IP address will be identical (a single IP address will be used). To any other services, load balancing per connection will be applied — thus maximally efficient use of the capacity of available links will be reached.
Meeting of the requirements will be guaranteed by using two NAT traffic rules: