FWCloud-UI

# Routing

# Advanced Routing

From FWCloud-UI you can carry out the routing administration. In traditional routing, the route that packets follow is obtained solely on the basis of their destination. It is possible to create more specific routes based on other factors such as source address, firewall marks, traffic type, protocols, access list, packet size, or other criteria. For that, we need to create routing tables and a routing policy, this is what is known as advanced routing or policy routing. From FWCloud-UI we can create and manage these routes and rules with all the power provided by its graphical environment and visual features. We access to these features from the Routing section of the firewalls created in FWCloud-UI.

Routing Section

Routing tables and policy are described in the next sections of this document.

# Routing Tables

We will classify the routes in tables. To create a new table we go to Routing, TABLES and select New table

New Routing Table

In the form presented we can select the table "main", predefined by the system, or create a new custom table. All tables require a unique identifier. For our customized tables we can select a number between 1 and 250. Also they require a name that identifies the table. Optionally we can add a comment in the table definition.

Routing Tables Form

If we select a table we can add routes into it. If the table has no route we can press the New Route button by the "Empty table warning"

First Routing Route

, or alternatively right clicking on the table name and then clicking on New route in the context menu

New Routing Route

We are presented with a form that includes a Route type selector. There are currently two route types:

  • Global: requires Gateway (next-hop). This creates a route with (Any) in the To field, so it behaves as a default route.
  • Link: requires both To and Interface, and does not require a gateway.

When creating a route in Link mode, the To field accepts address objects, ranges, networks, hosts, groups, DNS objects, OpenVPN objects and prefixes, WireGuard objects and prefixes, and IPSec objects and prefixes. The Interface field only accepts interface objects.

In both modes, drag and drop is used to assign objects to each field.

Link form:

In Link, multiple selections are allowed in the To input field

New Routing Route Link Form

Global form:

New Routing Route Global Form

When using Global mode, the created route will have the value (Any) in the To field. It represents a default route that uses the selected gateway.

Routing Route

In case we are working with a cluster, this rule will have one more field, Apply to. This allows us to select if the table is going to be installed on all the nodes of the cluster, or if we prefer it be installed only on a specific node.

Routing Route in clusters

We can see the rule that will be installed in the router by right clicking on the route number and clicking Compile selected route.

The routing compiler preview supports both route types (Global and Link). For link routes, the gateway can be empty while the interface is mandatory.

Compiling Routing Route

Compilation Routing Route

In order to adjust the routes to our needs we can make them more specific by modifying the To field.

This field admits more than one object. Here we can use IP addresses, IP ranges, networks, hosts, groups, DNS objects, and OpenVPN/WireGuard/IPSec connections and prefixes.

Tuned Routing Route

We can add as many routes as we needed in the routing tables. We can also use any of the visual features of FWCloud-UI to define our routing table, and make it more clear and readable, like copy and paste, moving routes, changing their color, disabling and enabling them and creating groups to contain some of the routes.

Routing Route Options

Tuned Routing Table

# Routing Policy

To specify different paths used to route network traffic depending on the type of traffic or its source address, we need to classify this traffic using routing rules and then tell the system to find the most appropriate route in one routing table or another.

If the policy routing is empty we can create the first rule by pressing the button Create new rule New Routing Rule

Because the rules make use of the routing tables we cannot create a new rule since we have defined at least one routing table (visit Routing Tables in the previous section), otherwise FWCloud-UI will show us the following warning

Routing Rule Error

When creating a new rule we need to select from the drop down list a routing table and specify a FWCloud-UI object to restrict the traffic that will use the selected table to lookup up for the proper route.

Routing Rule Form

The created rule will appear in the routing policy table.

Routing Rule

We can right click on the number of the rules and select Compile selected rule and FWCloud-UI will show us the rule or rules that will be installed.

The compiled output for routing rules now also includes the priority attribute. This value defines the rule evaluation order in the routing policy (lower values are processed first).

Routing Rule Compilation

At least we need to have one object in the From field of the rules to act as criteria for selecting traffic. If the rule has only one object in this field then it cannot not be removed. Valid objects for this field are networks, IP addresses, IP ranges, hosts, firewall marks, VPN connections and VPN prefixes

Routing Rules

If the routing policy is created for a cluster of firewalls, there is also an extra field, Apply to, in the policy table. We can select which rules of the table will be installed on all nodes of the cluster, what is the default behaviour, or select which particular node they apply to.

Routing Rules in a cluster

We can create a full policy routing using the visual features that FWCloud-UI provides to us.

Routing Rules Options

Here you have video that shows the "Apply To" feature:

## Compiling and installing

We can compile individual routing rules or routes by selecting them and then right clicking on the option Compile selected route or Compile selected rule respectively. This opens an information window showing the code that will be used to apply the routes and rules in the firewall, but they do not take effect yet.

To install to policy routing and the routing tables we need first to compile and then install the firewall. This is done the same way we did it to compile and install the security policy (review Compile and Install sections of this guide), if the Firewall has a Routing policy or Routing tables defined then they will be installed.

After compile/install operations, FWCloud-UI reloads the tree in background mode, avoiding the full-screen blocking overlay during that refresh.

Routing Installation

Routing Installation Result