Outbound Policy & Outbound/Inbound Firewall Rules - Logic

Heathy65 · July 25, 2011, 6:27pm

What is the logic used in the processing of entries/rules in the Outbound Policy and also in the Outbound/Inbound Firewall Rules?

Obviously they are both ordered lists which are checked top-down but what is the matching criteria?

Is it first match or best match and when a match is selected is the top-down search terminated?

Is the logic the same for both the Outbound Policy & also the Outbound/Inbound Firewall Rules?

FYI, my query is relevant to my Balance 30.

Lai · July 26, 2011, 8:14pm

Both Outbound Policy and Firewall Rule are first match. Once it is matched, it will terminate and won’t lookup the rules below.

Heathy65 · July 27, 2011, 1:53am

Hi,

I have the following outbound rules set:

Service:DNS, Algorithm: Enforced WAN2, Source: Any, Destination: Any, Prot/Port: UDP/53

Service:MyPC, Algorithm: Priority WAN1/WAN2: Source: 192.168.1.44, Destination: Any, Prot/Port: Any

Service:Default, Algorithm: Enforced WAN2

When WAN1 & WAN2 are both up all DNS queries are via WAN2 (which is what I want).

My problem is that when WAN2 fails the DNS queries are going via WAN1 (for queries from my PC on 192.168.1.44).

It is the 2nd rule that is routing DNS queries to WAN1 (since if I disable this rule then DNS queries fail when WAN2 is down, which is what I want).

Based on the assumption that 1st match is used I don’t see that the 2nd rule (or any others) should have any effect because the 1st rules is a match (regardless of the destination WAN connection being down).

Regards,

Ian

Heathy65 · August 13, 2011, 3:39am

Lai, can I please have an update on this?

Hootan_Rastkar · August 13, 2011, 4:44am

You have enforced DNS Protocol to WAN2. so in any case it goes through WAN2. if WAN2 fails your DNS query fails also. this is a normal behavior of enforced policy.

Heathy65 · August 13, 2011, 5:30am

Hi,

That is what I expect/want to happen, but that is not the case.

With my configuration, when WAN2 is down the DNS queries are going via WAN1 (which I don’t want).

Regards,

Ian

Lai · August 15, 2011, 1:07pm

in WAN configuration pages, you should have configured DNS Server IP addresses there. Peplink will add the system weighted balance outbound rules for those DNS servers on top of the user defined Custom Rules.

If the computer are querying the public DNS server directly which same as the DNS configured in WAN Connection page, the DNS query will follow the system outbound rules. Therefore, it won’t meet your enforce rule.

If the computer are querying DNS through Peplink’s LAN IP (Peplink DNS proxy), it will not go through Outbound Policy.