Configure a Policy Route¶
A policy route overrides the normal routing table for traffic matching specific criteria (source, destination, port, protocol). Use cases:
- Send all traffic from one LAN out a specific WAN (even though the default route would pick differently).
- Force specific applications through a VPN tunnel.
- Steer voice traffic out a dedicated link.
Policy routes are checked before the normal routing table. If a packet matches a policy route, it follows that route. Otherwise, the regular routing table applies.
Before You Start¶
- You know the source / destination / service criteria that should match.
- The interface you want the traffic to exit through is already configured.
- You understand that policy routes are evaluated top-down — order matters.
Steps¶
- Network → Policy Routes → + Create New.
- Fill in:
- If incoming traffic matches:
- Protocol —
any,TCP,UDP, etc. - Incoming Interface — where the traffic enters (e.g.
internal). - Source Address / Mask — source subnet (e.g.
10.0.0.0/24) or0.0.0.0/0.0.0.0for any. - Destination Address / Mask — destination subnet (or any).
- Destination Ports — port range, e.g.
80-443for web only. - Type of Service — usually leave blank.
- Protocol —
- Then:
- Action —
Forward Traffic(the usual choice) orStop Policy Routing(skip policy routes for this match and use normal routing instead). - Outgoing Interface — where to send it.
- Gateway Address — next hop on that interface.
- Action —
- If incoming traffic matches:
- Status —
Enabled. - Click OK.
- Drag to the right position in the list (top = checked first).
CLI Equivalent¶
config router policy
edit 1
set input-device "internal"
set src "10.0.0.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set protocol 6 # 6 = TCP
set start-port 80
set end-port 443
set output-device "wan2"
set gateway 198.51.100.1
next
end
Verify¶
diagnose firewall proute list
# Lists active policy routes in order.
# Test from the source — flow should leave via the policy-routed interface:
diagnose sniffer packet wan2 'src 10.0.0.5 and dst 8.8.8.8' 4
# Run while generating traffic from 10.0.0.5 to 8.8.8.8. Packets should appear.
Use Case Example¶
"Force all traffic from the Sales VLAN through the secondary WAN":
config router policy
edit 5
set input-device "sales-vlan"
set src "10.0.10.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "wan2"
set gateway 198.51.100.1
next
end
Now Sales clients go out wan2 regardless of the default route on wan1.
Common Issues¶
- Policy route exists but traffic still uses default route. Match criteria too narrow, traffic doesn't actually match. Use
diagnose debug flowto trace one packet — it'll show whether the policy route hit. - Policy route applied but traffic dies. No firewall policy permits the flow on the new outgoing interface. Add a firewall policy too.
- Asymmetric routing. Return traffic comes back on the original WAN, gets dropped because the session state doesn't match. Either policy-route both directions or accept asymmetric (rarely advisable).
- Order matters. A broad policy route higher in the list eats narrower ones below. Put narrow rules higher.