Policy and Static Routes
See the Policy Routes section for related information on the policy route screens.
Policy Route
Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Benefits
- Source-Based Routing - Network administrators can use policy-based routing to direct traffic from different users through different connections.
- Bandwidth Shaping - Organizations can allocate bandwidth to traffic that matches the routing policy and prioritize traffic.
- Cost Savings - IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
- Load Sharing - Network administrators can use IPPR to distribute traffic among multiple paths.
- NAT - The ZyWALL performs NAT by default for traffic going to or from the ge1 interface. Routing policy's SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.
Routing Policy
Individual routing policies are used as part of the overall IPPR process. A policy defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
NAT and SNAT
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Port Triggering
Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding, you set the port(s) and IP address to forward a service (coming in from the remote server) to a client computer. The problem is that port forwarding only forwards a service to a single IP address. In order to use the same service on a different computer, you have to manually replace the client computer's IP address with another client computer's IP address.
Port triggering allows the client computer to take turns using a service dynamically. Whenever a client computer's packets match the routing policy, it can use the pre-defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer.
Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service. The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service (incoming service). When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request.
Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule.
Maximize Bandwidth Usage
The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.
When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the ZyWALL gives the extra bandwidth to that policy route.
When multiple policy routes require more bandwidth, the ZyWALL gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level.
Reserving Bandwidth for Non-Bandwidth Class Traffic
Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that does not match a policy route.
IP Routing Policy Setup
Policy Route Edit
Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen.
Network > Routing > Policy Route > Edit
Label Description Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. Select Create Object to configure a new user account (see User Add/Edit for details). Incoming Interface Click Change... to select an interface or VPN tunnel through which the incoming packets are received. Source Address Select a source IP address object or select Create Object to configure a new one. Destination Address Select a destination IP address object or select Create Object to configure a new one. Schedule Select a schedule or select Create Object to configure a new one (see Schedules for details). Service Select a service or service group from the drop-down list box. Select Create Object to add a new service. See Service Add/Edit for more information. Next-Hop Type Select Auto to have the ZyWALL use the routing table to find a next-hop and forward the matched packets automatically.Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field. You have to set up the next-hop router or switch as a HOST address object first.Select VPN Tunnel to route the matched packets via the specified VPN tunnel.Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm.Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). Gateway This field displays when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s). VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly. Trunk This field displays when you select Trunk in the Type field. Select a trunk group to have the ZyWALL send the packets via the interfaces in the group. Interface This field displays when you select Interface in the Type field. Select an interface to have the ZyWALL send traffic that matches the policy route through the specified interface. Address Translation Source Network Address Translation Select none to not use NAT for the route.Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoing-interface, you can also configure port trigger settings for this interface.Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route.Select Create Object to configure a new address (group) to use as the source IP address(es) of the packets that match this route. Port Triggering # This is the rule index number. Incoming Service Select the service that the client computer sends to a remote server.The incoming service should have the same service or protocol type as what you configured in the Service field. Trigger Service Select a service that a remote server sends. It causes (triggers) the ZyWALL to forward the traffic (received on the outgoing interface) to the client computer that requested the service. Add icon Click the Add icon in the heading row to add a new first entry.Click the Add icon in an entry to add a rule below the current entry.Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule.In a numbered list, click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.The ordering of your rules is important as they are applied in order of their numbering. Bandwidth Shaping This allows you to allocate bandwidth to a route and prioritize traffic that matches the routing policy.You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. Maximum Bandwidth Specify the maximum bandwidth (from 1 to 1048576) allowed for the route in kbps. If you enter 0 here, there is no bandwidth limitation for the route.If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic. The smaller the number, the higher the priority. If you set the maximum bandwidth to 0, the bandwidth priority will be changed to 0 after you click OK. That means the route has the highest priority and will get all the bandwidth it needs up to the maximum available.A route with higher priority is given bandwidth before a route with lower priority.If you set routes to have the same priority, then bandwidth is divided equally amongst those routes. Maximize Bandwidth Usage Select this check box to have the ZyWALL divide up all of the interface's unallocated and/or unused bandwidth among the policy routes that require bandwidth. Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving.
IP Static Routes
The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL. Static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly.
Static Route Summary
Edit a Static Route
Select a static route index number and click Edit. Use this screen to configure the required information for a static route.