Novell Home

Using Policy-based Routing

Novell Cool Solutions: Tip
By Christian Schwarz

Digg This - Slashdot This

Posted: 17 Nov 2005
 

Problem

A reader asked the following question:

"While testing policy-based routing, I realized that if I enforce the use of the HTTP proxy (transparent), and I set up a policy stating that port 80 must flow through any another gateway (having multiple ISP's), the traffic always goes out through the public interface of the box regardless of the policy.

In other words, I would like to use the content engine to prohibit certain sites but route HTTP traffic through another point in the network that is NOT the public address of the box. Is there any workaround to make that happen?"

Solution

Here's the solution suggested by Christian Schwarz:

You can employ policy-based routing by using http-/SMTP-/pop3-proxy in NSM version 6.001 and later.

What is the benefit of policy-based-routing? When your company has two different connections to the Internet, e.g., a dedicated line with unlimited traffic and a DSL line with a traffic limitation, you can split your traffic. For example, you can route all HTTP traffic over the dedicated line (normally the biggest percentage of your traffic) - and route the other traffic (SMTP, POP3, etc.) over DSL.

Configuring Policy-based Routing

The following step-by-step instructions describe the configuration of policy-based-routing by simultaneously using the proxy-functionality.

1. Create your secondary Internet access, e.g., DSL. via a line established by a router in front of NSM.

2. Create the gateway IP as a host definition.

3. In NSM, access Webadmin -> Network -> Routing -> Policy-based Routing. Here's a sample for HTTP configuration:

Source: External Address (the one the default gateway is on)
Source Interface: Any
Destination: Any
Service: HTTP
Target: Gateway-IP of your secondary Interface (this may have none, because you can only define one gateway), or PPPOE-Interface-Address

4. Define a SNAT-rule to replace the internal IPs with the new target interface.

Webadmin -> Network -> NAT/Masquerading
Source: external address of the primary line
Destination: any
Service: http
Change source to: external address of the secondary interface

In the same manner you can create policy-based routing for SMTP or pop3, only the services in the definitions must be changed.

Example of DSL Routing

Here is an example that routes HTTP Proxy Traffic through a DSL connection:

PBR:
Source: External Address (200.200.200.200)
Source Interface: Any
Destination: Any
Service: HTTP
Target: Your second Gateway (192.168.200.253)

SNAT-Rule:
Source: External Address (200.200.200.200)
Destination: Any
Service: HTTP
Change Source to: Internal address (192.168.200.254)


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell