Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs

UniFi Gateway - Policy-Based Routing

Policy Based Routes are a feature found in the Routing section of the UniFi Network application that allows you to send traffic to a specific destination, such as a WAN port or a VPN Client interface. This feature may also be referred to as Traffic Routes or PBR.

Requirements

Available Options

Policy Based Routes can be configured to:

    • Match an entire LAN network or a specific client device.
    • Send traffic to the secondary WAN port.
    • Match either All or Specific client traffic, such as a geographical region.

Specific traffic can match on the following:

    • IP address + port
    • IP address range
    • Domain name
    • Region

Note: Domain matching requires the client devices to use the UniFi gateway as the DNS server.

Configuring Policy-Based Routes

If you're using a hub-and-spoke architecture or SASE/ZTNA, you can route all or specific internet-bound traffic through the VPN tunnel by configuring a Policy-Based Routing (PBR) rule.

Examples

Sending Streaming Traffic through a VPN

If you want to send specific streaming traffic from your Apple TV to a VPN Client tunnel, create a Policy Based Route with the following options:

  • Type: Specific Traffic
  • Category: Domain Name
  • Domain Name: Add one or more domains used by the streaming service
  • Target: Apple TV
  • Interface: VPN Client

Routing All Traffic from a Virtual Network to a Secondary WAN

If you want to send all traffic from a Virtual Network to the secondary WAN port, create a Policy Based Route with the following options:

  • Type: All Traffic
  • Target: Select the Virtual Network name
  • Interface: WAN2 

Access Cloud Services with Whitelisted IPs/IP Ranges

Configure a Policy-Based Route to match traffic destined for specific IP addresses or IP ranges associated with cloud services. This ensures secure access and control over which services can be accessed from within your network.

Country-Specific Content Access

Direct traffic from certain devices or applications (like a VPN client) to a VPN tunnel to access geo-restricted content. This is particularly useful for devices that do not natively support VPN connections.

Integrate with SASE/ZTNA Platforms

To enhance security, route all internet-bound traffic through a centralized hub gateway or third-party SASE/ZTNA platform for inspection and policy enforcement. This use case aligns with future support functionality.

Frequently Asked Questions

I have a TV but it does not support VPNs. Can I use Policy Based Routes to send the TV's traffic over the VPN?
Yes. First configure a VPN Client to a provider of your choice and then add a Traffic Route matching the TV. See the examples section for more information.
I am using a secondary failover WAN. Can I use Policy Based Routes to send traffic to this WAN port?
Yes. See the examples section for more information.
What traffic will flow through the VPN?
By default, only traffic destined for a remote local network will flow through the tunnel. It is possible to send all or specific Internet traffic by creating a Policy-Based Routing rule.
Does UniFi support integration with SASE and/or ZTNA platforms like ZScaler or Cloud Flare?
Yes. Create an IPsec Site-to-Site VPN (route-based) with the SASE/Zero-Trust exchange, and then create a Policy-Based Routing rule to send all Internet traffic through the tunnel.
Was this article helpful?