Outbound Policy & Outbound/Inbound Firewall Rules - Logic

What is the logic used in the processing of entries/rules in the Outbound Policy and also in the Outbound/Inbound Firewall Rules?

Obviously they are both ordered lists which are checked top-down but what is the matching criteria?

Is it first match or best match and when a match is selected is the top-down search terminated?

Is the logic the same for both the Outbound Policy & also the Outbound/Inbound Firewall Rules?

FYI, my query is relevant to my Balance 30.

Both Outbound Policy and Firewall Rule are first match. Once it is matched, it will terminate and won’t lookup the rules below.


I have the following outbound rules set:

Service:DNS, Algorithm: Enforced WAN2, Source: Any, Destination: Any, Prot/Port: UDP/53

Service:MyPC, Algorithm: Priority WAN1/WAN2: Source:, Destination: Any, Prot/Port: Any

Service:Default, Algorithm: Enforced WAN2

When WAN1 & WAN2 are both up all DNS queries are via WAN2 (which is what I want).

My problem is that when WAN2 fails the DNS queries are going via WAN1 (for queries from my PC on

It is the 2nd rule that is routing DNS queries to WAN1 (since if I disable this rule then DNS queries fail when WAN2 is down, which is what I want).

Based on the assumption that 1st match is used I don’t see that the 2nd rule (or any others) should have any effect because the 1st rules is a match (regardless of the destination WAN connection being down).



Lai, can I please have an update on this?

You have enforced DNS Protocol to WAN2. so in any case it goes through WAN2. if WAN2 fails your DNS query fails also. this is a normal behavior of enforced policy.


That is what I expect/want to happen, but that is not the case.

With my configuration, when WAN2 is down the DNS queries are going via WAN1 (which I don’t want).



in WAN configuration pages, you should have configured DNS Server IP addresses there. Peplink will add the system weighted balance outbound rules for those DNS servers on top of the user defined Custom Rules.

If the computer are querying the public DNS server directly which same as the DNS configured in WAN Connection page, the DNS query will follow the system outbound rules. Therefore, it won’t meet your enforce rule.

If the computer are querying DNS through Peplink’s LAN IP (Peplink DNS proxy), it will not go through Outbound Policy.