2 policy routing – NEXCOM IFA 1610 User Manual

Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.

IFA 3610/IFA 2610/IFA 1610 User Manual

Chapter 3: The Network Menu

33

Enabled
A ticked checkbox means that the rule is enabled (default). If unchecked, then the rule is only created but not activated:
It can always be enabled later.

Remark
A remark or comment to explain the purpose of this rule.

A click on one of the icons will trigger an action on the respective item:

- toggle the status of the item, enabled or disabled.
- modify the item’s property.
- remove the item

3.2.2 Policy routing

A policy route rule allows to associate specific network addresses, zones, or services (expressed as port and protocol)
with a given uplink.

The table shows all the already defined rules, with some of their properties, and the following actions for each item:

- toggle the status of the item, enabled or disabled.
- modify the item’s property.
- remove the item

Policy routing, HTTP proxy, and uplink.
The interaction between these three components of the appliance might produce some behaviour that may appear
strange or even wrong when clients in the zones try to access the Internet. There are indeed three steps to highlight, for
a correct understanding how traffic flows to the Internet when both HTTP proxy is enabled and there are policy routing
rules defined:

1. An HTTP proxy uses the main uplink (i.e., it accesses the RED zone and the Internet using the main uplink).
2. An HTTP proxy “breaks” a connection from a client to a remote server in two connections: One from the client to the

appliance and one from the appliance to the remote server.

3. Policy routing rules are taken into account after the traffic goes through the HTTP proxy.

When clicking on the Create a policy routing rule link, a form will open, which seems rather more complicated then
the one for static routes and very similar to the firewall rule’s editor. However, this policy rule editor is much like the
previous one, but gives more control over the definition of the rule. Additionally, the setup of the rule is guided by several
drop-down menus, to simplify entering the data in the following fields:

Source
The first drop-down menu allows to choose the source of the traffic. More entries, one per line, are accepted, but all
must belong to the same type, either: A zone or interface, OpenVPN or L2TP users, IPs or networks, or MAC addresses.
Depending on the choice, different values shall be supplied. To apply the rule to all sources, select .

Destination
The second drop-down menu permits the choice of the destination of the traffic, in form of a list of IPs, networks,
OpenVPN or L2TP users. Again, by selecting the rule will match every destination.

Service/Port
The next two drop-down menus allow to specify the service, protocol, and a destination port for the rule when the TCP,
UDP, or TCP + UDP protocols are selected. Some predefined combinations service/protocol/port exists, like HTTP/TCP/80,
/TCP+UDP/0:65535, or , which is a shortcut for all services, protocols, and ports. User defined permits to
specify a custom protocol and the ports to block, an option that proves useful when running services on ports different
from the standard ones.

Protocol
The type of traffic that is interested by the rule: TCP, UDP, TCP+UDP, ESP, GRE, and ICMP. TCP and UDP are the most
used, GRE is used by tunnels, ESP by IPsec, and ICMP by the

ping and traceroute commands.