A. WAN1/WAN2 Interface and LAN NAT/Routing host. B. VPN Host and LAN NAT Host. C. An example using Part A and B

This document introduces the Load-Balance/RoutePolicy. In real world, we need various kinds of routing rules to fulfill many different usages, and the Load-Balance/RoutePolicy is aiming to provide an integrated solution. There will be 6 parts in this note. In the first 5 parts we will talk about 1 usage each, and in the last part we will talk about the frequently asked questions. If you find your usage is not clearly described or is beyond these 6 parts, please do not hesitate to contact us for further assistance. The 6 parts are: A. WAN1/WAN2 Interface and LAN NAT/Routing host B. VPN Host and LAN NAT Host C. An example using Part A and B D. LAN NAT Host to Another LAN NAT Host via WAN E. VoIP Service to Muliti-PVCs VoIP Servers F. Frequently Asked Questions 1/24

In the Web UI, we put the Load-Balance/RoutePolicy in the top menu, and this is a screenshot from a Vigor2860: In the following contents, we will always use thisvigor2860 as the primary router to demonstrate the Load-Balance/RoutePolicy. 2/24

Part A. WAN1/WAN2 Interface and LAN NAT/Routing Host 3/24

1. We may take the DNS server 8.8.8.8 as the example, and the scenario is we want LAN 1 / LAN 3 clients reach 8.8.8.8 via WAN1. a. Tick to Enable. b. Choose the Protocol.The default value is any. c. Set the Source IP Start/End to limit the applied source IP addresses. If you choose any, this rule will be applied to all source IP addresses. In this case we use the IP addresses in LAN 1. d. Set the DestinationIP Start/End. If you choose any, this rule will be applied to all destination IP addresses. In this case we use 8.8.8.8 as the single destination IP. e. Set the Destination Port Start/End. If you choose any, this rule will be applied to all destination ports. In this case we use any. f. Choose the out going interface. In this case we use WAN1. g. Set the gateway IP. In this case we use the default gateway. 4/24

h. About Auto Failover To The Other WAN, tick this item so the traffics will be sent via another WAN automatically when WAN1 is down. i. There can be 2 possible usages: i. For LAN 1 NAT subnet, please choose force NAT, ii. For LAN3Routing subnet, please choose force Routing. j. Click OK to save. 2. We can see the traffic was sent out via WAN1, and with this result, the configuration is confirmed to be functional. 5/24

Note: To set destination IP address as an IP range,we may set the Dest IP as a range: Please note that the Port range may also be applied if required. 6/24

Part B. VPN Host and LAN NAT host 1. Sometimes we may have some VPN services, and we would like to set some rules so only certain user(s)/device(s)is eligible to use the VPN service. With Load- Balance/RoutePolicy, it can be done easily! 7/24

a. Set the Src IP. Here we set the IP address of the IPTV, so only the IPTV will be eligible to use the VPN service. To fix the IP address for the certain LAN client, please go to LAN>>Bind IP to MAC. b. We may do an nslookup to find the IP address of the Netflix server, and set the IP into Dest IP Start/End. c. Set the Destination Port Start/End. In this case we use any. d. Make sure the VPN tunnel is up, and then choose the VPN service in Interface. e. In this case, the Netflix service is available only when the VPN interface is up, and thus it s not required to tick Auto Failover To The Other WAN. 8/24

2. And now, we may do a trace route test to verify if the rule is applied: The trace route result shows the rule has been applied successfully, that the traffic to the Netflix server is sent via the VPN tunnel. 3. Or, if we want to limit that only certain users (for example, some managers in the company) may use the VPN service, we may set the profile like this: 9/24

Part C. An Example using Part A and B The requirements are: I. When LAN 1 clients access to the Internet, the router do NAT and the traffics go via WAN 1. II. When LAN 1 clients access to the Private Network, the router do Routing and the traffics go via WAN 2. III. When WAN 1 is down, traffics to the Internet should auto failover to WAN 2. IV. When WAN 2 is down, a LAN-to-LAN VPN tunnel should get established via WAN1 to the Private Network, and traffics to the Private Network should go via the VPN tunnel. 10/24

1. To fulfill the requirements, we edit 2 rules: 2. Index 1 fulfill the requirement II, a. When LAN 1 clients access to the Private Network, the traffics should be sent via WAN 2. b. Leave Auto Failover disabled, so when WAN2 disconnected, the traffics to the Private Network won t go via WAN 1 (should go via the VPN tunnel). c. Choose force Routing so the traffics will be routed to the Private Network. 11/24

3. Index 2 fulfills requirement I and III, a. When LAN 1 clients access to the Internet (we set the destination as any), the traffics should be sent via WAN 1. b. When WAN 1 is down, the traffics will be sent via WAN 2. c. Router should do NAT for the Internet browsing. 12/24

4. To fulfill requirement IV, please create a LAN-to-LAN VPN profile to the Private Network. a. Please choose WAN 1 only, since the VPN tunnel should only be dialed out to the Private Network via WAN 1. b. Please disable always on. When WAN 2 disconnected, the router will be triggered to establish the VPN tunnel automatically whenever there are traffics from LAN clients to the Private Network. c. The VPN server should be in the Private Network. 13/24

5. The rules and VPN profile have been configured, and nowwe may do some tests to verify: a. LAN client trace route to the Private Network The LAN client is able to access to the Private Network via WAN 2. b. LAN client trace router to the Internet (8.8.8.8). The traffics to the Internet are sent via WAN 1. c. Disconnect WAN 1, and the LAN client try to access to the Internet again. The traffics to the Internet are sent via WAN 2 this time. d. Make WAN 1 connected back again, and disconnect WAN 2 this time. The LAN client try to access to the Private Network: The first ping was timed out since the VPN tunnel was not established yet. The router was then triggered by the ping packets to establish the VPN tunnel, and started with the second ping, the LAN client was able to reach the Private Network via the VPN tunnel. 14/24

Part D. LAN NAT host to another LAN NAT host via WAN The scenario is that LAN 1 clients may access the FTP server in LAN2 via the WAN 1 public IP address. This is the WAN1 detail: 15/24

1. To do so, we may to set the rule so when LAN 1 clients trying to reach WAN1, they may go out via WAN2. a. Set the Src IPStart/End for LAN 1 clients. b. Set the Dest IP Start/End as the WAN 1 public IP. c. Choose the outbound Interface as WAN2. To do the NAT loopback, please choose WAN1 as the interface. d. Tick forcenat. 16/24

2. And then, we may set the Open Port rule for the FTP server: 3. Now, the function should be work! Here we use a PC in LAN2 running the HFS software as the FTP server, and a PC in LAN1 trying to access the FTP server via the WAN1 IP address: 17/24

Part E. VoIP Service with Multi-PVCs The Load-Balance/RoutePolicy also supports routing traffics according to different PVCs. The scenario is: I. LAN customers should go to the Internet via WAN1. II. IP phones may dial to SIP services in the Internet via PVC1 => DNS lookup may be required. III. IP phones may also be able to dial to the internal SIP service via PVC2. 18/24

1. To fulfill these requirements, we edit multiple rules: Now let s look into each rules. 2. Index 1 routes the traffics going from IP phones to the iptel server via WAN1. 19/24

3. When IP phones dialing to the iptel server, a DNS lookup may be applied, and thus we also need to edit rules to make sure the DNS lookup traffics going through WAN1. a. Before editing the routing rules, we need to make sure which DNS servers the LAN clients may use: b. And then, we may edit 2 routing rules for these 2 DNS servers: i. For DNS server 168.95.1.1 20/24

ii. For DNS server 8.8.8.8 21/24

4. Besides dialing to the iptel server, in the rest cases the IP phones dialto the internal SIP server, and the traffics should go via WAN5: Please note that the reason we left the Dest IP as blank is, the IP phone traffics should either go to the external server, or the internal one, and we have created multiple rules to make sure the traffics heading to the external server will go via WAN1, and now the remaining traffics should only go to the internal server via WAN5, and thus it s ok to leave the Dest IP as blank. 22/24

5. Now, the rules have been created well, andwe may do some tests to verify the routing: a. PC in LAN1 trace route to 8.8.8.8 The first hop is the gateway for LAN1 clients, and the second hop is the gateway for WAN1. b. SIP phone clients trace route to 8.8.8.8 The first hop is the gateway for SIP phones, and the second hop is the gateway for WAN1. c. SIP phone clients trace route to the another internal SIP client The first hop is the gateway for SIP phones, the second hop is the gateway for WAN5, and the third hop is another internal SIP client. 23/24

Part F. Frequently Asked Questions 1. I have more than 1 rules applying to the same LAN client(s), and I want to know how do these rules been respected? Answer: The first rule (according to the index number) been hit will be applied to the LAN client(s), while the rests will be ignored. 2. What is the priority between Firewall Rule, Inter-LAN Routing, Load- Balance/RoutePolicy, and Static Route? Answer: Firewall Rules > Inter-LAN Routing > * Load-Balance/Route Policy > Static Route *: To force traffic go between different LANs with Load-Balance/Route Policy rules, make sure the Inter-LAN Routing policy is configured properly in LAN >> General Setup, so the traffics can go between the LANs. 24/24