Skip to content

Configure a Policy Route

A policy route overrides the normal routing table for traffic matching specific criteria (source, destination, port, protocol). Use cases:

  • Send all traffic from one LAN out a specific WAN (even though the default route would pick differently).
  • Force specific applications through a VPN tunnel.
  • Steer voice traffic out a dedicated link.

Policy routes are checked before the normal routing table. If a packet matches a policy route, it follows that route. Otherwise, the regular routing table applies.

Before You Start

  • You know the source / destination / service criteria that should match.
  • The interface you want the traffic to exit through is already configured.
  • You understand that policy routes are evaluated top-down — order matters.

Steps

  1. Network → Policy Routes → + Create New.
  2. Fill in:
    • If incoming traffic matches:
      • Protocolany, TCP, UDP, etc.
      • Incoming Interface — where the traffic enters (e.g. internal).
      • Source Address / Mask — source subnet (e.g. 10.0.0.0/24) or 0.0.0.0/0.0.0.0 for any.
      • Destination Address / Mask — destination subnet (or any).
      • Destination Ports — port range, e.g. 80-443 for web only.
      • Type of Service — usually leave blank.
    • Then:
      • ActionForward Traffic (the usual choice) or Stop Policy Routing (skip policy routes for this match and use normal routing instead).
      • Outgoing Interface — where to send it.
      • Gateway Address — next hop on that interface.
  3. StatusEnabled.
  4. Click OK.
  5. Drag to the right position in the list (top = checked first).

CLI Equivalent

config router policy
edit 1
    set input-device "internal"
    set src "10.0.0.0/255.255.255.0"
    set dst "0.0.0.0/0.0.0.0"
    set protocol 6           # 6 = TCP
    set start-port 80
    set end-port 443
    set output-device "wan2"
    set gateway 198.51.100.1
next
end

Verify

diagnose firewall proute list
# Lists active policy routes in order.

# Test from the source — flow should leave via the policy-routed interface:
diagnose sniffer packet wan2 'src 10.0.0.5 and dst 8.8.8.8' 4
# Run while generating traffic from 10.0.0.5 to 8.8.8.8. Packets should appear.

Use Case Example

"Force all traffic from the Sales VLAN through the secondary WAN":

config router policy
edit 5
    set input-device "sales-vlan"
    set src "10.0.10.0/255.255.255.0"
    set dst "0.0.0.0/0.0.0.0"
    set output-device "wan2"
    set gateway 198.51.100.1
next
end

Now Sales clients go out wan2 regardless of the default route on wan1.

Common Issues

  • Policy route exists but traffic still uses default route. Match criteria too narrow, traffic doesn't actually match. Use diagnose debug flow to trace one packet — it'll show whether the policy route hit.
  • Policy route applied but traffic dies. No firewall policy permits the flow on the new outgoing interface. Add a firewall policy too.
  • Asymmetric routing. Return traffic comes back on the original WAN, gets dropped because the session state doesn't match. Either policy-route both directions or accept asymmetric (rarely advisable).
  • Order matters. A broad policy route higher in the list eats narrower ones below. Put narrow rules higher.