The purpose of this article is to provide direction for creating static routes for various purposes. This article assumes knowledge of the different types of static routes (please refer to the manual or the Knowledge Base article "What is the difference between the static route types?" for more information). This document details two different examples: One involving routing a VPN connection and the other involving restricting web traffic to certain WAN lines.
Site-to-Site VPN connection
Typically, it is recommended to configure a static route to send traffic to a remote firewall or host (the VPN peer) over a specific WAN line to initiate a VPN connection. This is because the remote host is configured to only allow a certain IP address(es) to connect to it or initiate the VPN connection. Creating a static route using the 'Fixed' type would prevent local VPN peer (typically the local firewall) from being routed over the wrong WAN line when trying to communicate with the specified remote host.
Go to Static Routes, located in the left-hand sidebar, under Outbound Settings. Under the section labeled Static Route Entries, click the Add button. A new row will be added for the new static route rule.
For the destination network, use the specific address for the remote host. This address should be a /32 address, so the rule only applies to traffic sent to the specified host. The source network field, if simply left blank will be treated as "Anywhere" or 0.0.0.0/0 which will apply to all traffic from the LAN(s) to use the specified WAN line when trying to connect to this host. Adding a (sub)network or a specific host as the under the source network field will narrow the scope of the rule further.
For the Source WAN IP or Hostname field, specify the WAN line via an alias or a specific IP address from the appropariate WAN line that is to be used when connecting to the host or network specified as the destination. Multiple source WANs can be identified, however, for the purpose of site-to-site VPNs only include the source WAN(s) that are appropriate based on the configuration of the remote host. In this example, only a single WAN line is specified.
The Type setting determines failover behavior and more information regarding these settings can be found in the Help pages, the manual, or other Knowledge Base articles. Fixed mode will only allow you to use the IP address(es) specified in this static route and will not ever attempt to use another WAN line or IP that is not specified when connecting to this host, even if the specified WAN is down. If the remote VPN peer is expecting traffic from only a single WAN line, this is the setting chosen.
Finally, the VPN setting should be enabled so VPN traffic is properly routed according to the static route rule.
Routing specific traffic over particular WAN line(s)
Most static routes identify traffic by source and/or destination addresses. However, protocol and port numbers can also be used to identify traffic for routing. These types of static routes are referred as Static Policy Routes.
To route traffic based solely on protocol and/or port (regardless of source or destination) leave the Destination and Source fields blank, which the Ecessa appliance interprets as "Anywhere" or 0.0.0.0/0.
For this example, web traffic is to use only a particular WAN line. A rule is created specifying TCP as the protocol and the destination port configured for port 80. Source ports are usually left blank ("Any") as they are randomly selected ports. An additional rule can be created to apply to secure web traffic (HTTPS), also specifying TCP as the protocol and the destination port configured for port 443.
The Source WAN IP or Hostname field, which specifies the WAN alias or IP address for the WAN the traffic should be routed over. The Type field is typically set to Failback, which allows for failover to another WAN line if the line(s) specified go down, and will return to using the specified WAN line(s) when they become operational again.