Policy and Static Routes

See the Policy Routes section for related information on the policy route screens.

Policy Route

Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.

Benefits

Routing Policy

Individual routing policies are used as part of the overall IPPR process. A policy defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.

The actions that can be taken include:

IPPR follows the existing packet filtering facility of RAS in style and in implementation.

NAT and SNAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.

Port Triggering

Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding, you set the port(s) and IP address to forward a service (coming in from the remote server) to a client computer. The problem is that port forwarding only forwards a service to a single IP address. In order to use the same service on a different computer, you have to manually replace the client computer's IP address with another client computer's IP address.

Port triggering allows the client computer to take turns using a service dynamically. Whenever a client computer's packets match the routing policy, it can use the pre-defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer.

Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service. The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service (incoming service). When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request.

Note: You need to create a firewall rule to allow an incoming service before using a port triggering rule.

Maximize Bandwidth Usage

The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.

When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface's available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the ZyWALL gives the extra bandwidth to that policy route.

When multiple policy routes require more bandwidth, the ZyWALL gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level.

Reserving Bandwidth for Non-Bandwidth Class Traffic

Do the following three steps to configure the ZyWALL to allow bandwidth for traffic that does not match a policy route.

IP Routing Policy Setup

Network > Routing > Policy Route 

Label
Description
Enable BWM
This is a global setting for enabling or disabling bandwidth management on the ZyWALL. You must enable this setting to have individual policy routes or application patrol policies apply bandwidth management.
This same setting also appears in the AppPatrol > General screen. Enabling or disabling it in one screen also enables or disables it in the other screen.
#
This is the number of an individual policy route.
User
This is the name of the user (group) object from which the packets are sent. any means all users.
Schedule
This is the name of the schedule object. none means the route is active at all times if enabled.
Incoming
This is the interface on which the packets are received.
Source
This is the name of the source IP address (group) object. any means all IP addresses.
Destination
This is the name of the destination IP address (group) object. any means all IP addresses.
Service
This is the name of the service object. any means all services.
Next-Hop
This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or trunk.
SNAT
This is the source IP address that the route uses.
It displays none if the ZyWALL does not perform NAT for this route.
BWM
This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route.
Add icon
Click the Add icon in the heading row to add a new first entry.
The Active icon displays whether the rule is enabled or not. Click the Active icon to activate or deactivate the policy.
Click the Edit icon to go to the screen where you can edit the routing policy on the ZyWALL.
Click the Add icon in an entry to add a rule below the current entry.
Click the Remove icon to delete an existing routing policy from the ZyWALL. A window displays asking you to confirm that you want to delete the routing policy.
In a numbered list, click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.

Policy Route Edit

Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen.

Network > Routing > Policy Route > Edit 

Label
Description
Configuration
 
Enable
Select this to activate the policy.
Description
Enter a descriptive name of up to 31 printable ASCII characters for the policy.
Criteria
 
User
Select a user name or user group from which the packets are sent. Select Create Object to configure a new user account (see User Add/Edit for details).
Incoming Interface
Click Change... to select an interface or VPN tunnel through which the incoming packets are received.
Source Address
Select a source IP address object or select Create Object to configure a new one.
Destination Address
Select a destination IP address object or select Create Object to configure a new one.
Schedule
Select a schedule or select Create Object to configure a new one (see Schedules for details).
Service
Select a service or service group from the drop-down list box. Select Create Object to add a new service. See Service Add/Edit for more information.
Next-Hop
 
Type
Select Auto to have the ZyWALL use the routing table to find a next-hop and forward the matched packets automatically.
Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field. You have to set up the next-hop router or switch as a HOST address object first.
Select VPN Tunnel to route the matched packets via the specified VPN tunnel.
Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm.
Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface).
Gateway
This field displays when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s).
VPN Tunnel
This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly.
Trunk
This field displays when you select Trunk in the Type field. Select a trunk group to have the ZyWALL send the packets via the interfaces in the group.
Interface
This field displays when you select Interface in the Type field. Select an interface to have the ZyWALL send traffic that matches the policy route through the specified interface.
Address Translation
 
Source Network Address Translation
Select none to not use NAT for the route.
Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoing-interface, you can also configure port trigger settings for this interface.
Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route.
Select Create Object to configure a new address (group) to use as the source IP address(es) of the packets that match this route.
Port Triggering
 
#
This is the rule index number.
Incoming Service
Select the service that the client computer sends to a remote server.
The incoming service should have the same service or protocol type as what you configured in the Service field.
Trigger Service
Select a service that a remote server sends. It causes (triggers) the ZyWALL to forward the traffic (received on the outgoing interface) to the client computer that requested the service.
Add icon
Click the Add icon in the heading row to add a new first entry.
Click the Add icon in an entry to add a rule below the current entry.
Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule.
In a numbered list, click the Move to N icon to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed.
The ordering of your rules is important as they are applied in order of their numbering.
Bandwidth Shaping
This allows you to allocate bandwidth to a route and prioritize traffic that matches the routing policy.
You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping.
Maximum Bandwidth
Specify the maximum bandwidth (from 1 to 1048576) allowed for the route in kbps. If you enter 0 here, there is no bandwidth limitation for the route.
If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Bandwidth Priority
Enter a number between 1 and 7 to set the priority for traffic. The smaller the number, the higher the priority. If you set the maximum bandwidth to 0, the bandwidth priority will be changed to 0 after you click OK. That means the route has the highest priority and will get all the bandwidth it needs up to the maximum available.
A route with higher priority is given bandwidth before a route with lower priority.
If you set routes to have the same priority, then bandwidth is divided equally amongst those routes.
Maximize Bandwidth Usage
Select this check box to have the ZyWALL divide up all of the interface's unallocated and/or unused bandwidth among the policy routes that require bandwidth. Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class.
OK
Click OK to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.

IP Static Routes

The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL. Static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly.

Static Route Summary

Network > Routing > Static Route 

Label
Description
#
This is the number of an individual static route.
Destination
This is the destination IP address.
Subnet Mask
This is the IP subnet mask.
Next-Hop
This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations.
Metric
This is the route's priority among the ZyWALL's routes. The smaller the number, the higher priority the route has.
Add icon
Click the Add icon to go to the screen where you can set up a static route on the ZyWALL.
Click the Edit icon to go to the screen where you can edit the static route on the ZyWALL.
Click the Remove icon to delete an existing static route from the ZyWALL. A window displays asking you to confirm that you want to delete the routing policy.

Edit a Static Route

Select a static route index number and click Edit. Use this screen to configure the required information for a static route.

Network > Routing > Static Route > Edit 

Label
Description
Destination IP
This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID.
Subnet Mask
Enter the IP subnet mask here.
Gateway IP
Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations.
Interface
Select the radio button and a predefined interface through which the traffic is sent.
Metric
Metric represents the "cost" of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number.
OK
Click OK to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving.