LANCOM Support Knowledgebase Document No. 1904.0415.2455.MMÜL - V1.20

Automatic deactivation of a policy-based routing rule in the firewall if the associated Internet connection fails


Description:
In scenarios with multiple Internet connections, it may be necessary to route certain traffic over a particular Internet connection. This can be realized with policy-based routing.

However, if the associated Internet connection fails, the data will continue to be routed over a connection that no longer exists. The communication therefore fails.

This document describes how to automatically deactivate a policy-based routing rule if the associated Internet connection fails and reactivate it when the Internet connection is established again.

This procedure is suitable for scenarios where a failure of the Internet connection used by policy-based routing reverts to the default route with routing tag 0. A typical scenario would feature two Internet connections.

After deactivating the policy-based routing rule, the traffic is transmitted via the Internet connection with routing tag 0. If this is not possible (e.g. because routing tag 0 was assigned to a load balancer with more than two Internet connections), the routing tag in the firewall rule must be rewritten by means of the Action Table instead of activating/deactivating the firewall rule. This is described in the following article: Notes Link



Requirements:
  • Router with at least two configured and functional Internet connections
  • Previously configured and functional policy-based routing (see Document Link Icon)
  • Tool for accessing the router CLI (e.g. PuTTY)


Procedure:

1) Set up the Action Table to automatically activate/deactivate the policy-based routing rule:

1.1) Open the configuration for the router in LANconfig and switch to the menu item Communication -> General -> Action table.



1.2) Create a new entry and enter the following information so that the firewall rule is automatically deactivated following the failure of the Internet connection.
  • Name: Enter a descriptive name.
  • Remote site: From the drop-down menu, set the Remote site to the Internet connection that the policy-based routing rule uses for routing the traffic.
  • Condition: Set the drop-down menu for Condition to End (disc. or broken).
  • Action: Enter the following command to deactivate the firewall rule:

    exec: set Setup/IP-Router/Firewall/Rules/<Name of the Firewall rule> {firewall-rule} no



1.3) Create an additional entry and enter the following information so that the firewall rule is automatically activated after the Internet connection is established.
  • Name: Enter a descriptive name.
  • Remote site: From the drop-down menu, set the Remote site to the Internet connection that the policy-based routing rule originally used for routing the traffic.
  • Condition: Set the drop-down menu for Condition to Establish.
  • Action: Enter the following command to activate the firewall rule:

    exec: set Setup/IP-Router/Firewall/Rules/<Name of the Firewall rule> {firewall-rule} yes



1.4) Write the configuration back to the router.



2) Optional: Testing the commands on the CLI

We recommend that you test the functionality of the commands saved in Step 1.2 and 1.3 in advance.
    Important:
    From the CLI, the commands are specified without exec:.


2.1) Connect to the router’s CLI and enter the following commands.
  • Deactivating the firewall rule:

    set Setup/IP-Router/Firewall/Rules/<Name of the Firewall rule> {firewall-rule} no
  • Activating the firewall rule:

    exec: set Setup/IP-Router/Firewall/Rules/<Name of the Firewall rule> {firewall-rule} yes


    Catchwords: policy based routing; firewall; deactivate; deactivation; automatic
    Please review this document! This document was helpful This document was not helpful