Filter rules
Three policy-based routing (PBR) rules are needed in order to allow traffic through their respective IPsec tunnels.
- The first rule allows HTTP and FTP traffic to go from the internal network to the server (HTTPServer object in the example). These streams of traffic go through the router HTTPRouter (WAN1 link),
- The second rule allows production traffic (SQL traffic in the example) to go from the internal network to the server (SQLServer object in the example). These streams of traffic are directed to the gateway ProductionRouter (WAN2 link),
- The third rule is dedicated to VoIP traffic going from the internal network to the remote network. These streams of traffic go through the router VoIPRouter (WAN3 link),
Since routing to the server network was defined in the filter rules, there is no need to create a static route.
Rule for HTTP and FTP traffic via the WAN1 link
Add a rule using the same following elements:
-
Action (General tab)
In the Action field, select the value Pass. In the Route field, select the router object HTTPRouter.
-
Source (General tab)
In the Source field, select the host, host group or network allowed to set up HTTP and FTP connections to the server. In the example, the selected object is Network_in.
-
Destination (General tab)
In the Destination field, select the host or host group hosting HTTP and FTP services. In the example, the selected object is HTTPServer.
-
Port – Protocol
Select the objects corresponding to the authorized ports. In the example, HTTP and FTP have been selected.
Rule for production traffic via the WAN2 link
Add a rule using the same following elements:
-
Action (General tab)
In the Action field, select the value Pass. In the Route field, select the router object ProductionRouter.
-
Source (General tab)
In the Source field, select the host, host group or network allowed to set up connections to the production server(s). In the example, the selected object is Network_in.
-
Destination (General tab)
In the Destination field, select the host or host group hosting production services. In the example, the selected object is SQLServer.
-
Port – Protocol
Select the objects corresponding to the authorized ports. In the example, the Databases group is used, which includes various ports for connecting to the SQL database (PostgreSQL, MySQL,etc.).
Rule for VoIP traffic via the WAN3 link
Create a filter rule using the same following elements:
-
Action (General tab)
In the Action field, select the value Pass. In the Route field, select the router object VoIPRouter.
-
Action (Quality of service tab)
The DSCP field can be imposed on packets. To do so, select the option Impose value and in the New DSCP value field, you may set a customized DSCP field (18 Class 2 in the example).
-
Source (General tab)
In the Source field, select the host, host group or network allowed to set up connections to the production server(s). In the example, the selected object is Network_in.
-
Destination (General tab)
In the Destination field, select the host, host group or network with which connections will be set up. In the example, the selected object is RemoteNetwork.
-
Port – Protocol
Select the objects corresponding to the authorized ports. In the example, a VoIP group is used, containing different ports needed for VoIP.