UniFi Gateway - Policy-Based Routing
Policy Based Routes are a feature found in the Routing section of the UniFi Network application that allows you to send traffic to a specific destination, such as a WAN port or a VPN Client interface. This feature may also be referred to as Traffic Routes or PBR.
Requirements
- A Next-Gen UniFi gateway or UniFi Cloud Gateway
Available Options
Policy Based Routes can be configured to:
-
- Match an entire LAN network or a specific client device.
- Send traffic to the secondary WAN port.
- Match either All or Specific client traffic, such as a geographical region.
Specific traffic can match on the following:
-
- IP address + port
- IP address range
- Domain name
- Region
Note: Domain matching requires the client devices to use the UniFi gateway as the DNS server.
Configuring Policy-Based Routes
If you're using a hub-and-spoke architecture or SASE/ZTNA, you can route all or specific internet-bound traffic through the VPN tunnel by configuring a Policy-Based Routing (PBR) rule.
Examples
Sending Streaming Traffic through a VPN
If you want to send specific streaming traffic from your Apple TV to a VPN Client tunnel, create a Policy Based Route with the following options:
- Type: Specific Traffic
- Category: Domain Name
- Domain Name: Add one or more domains used by the streaming service
- Target: Apple TV
- Interface: VPN Client
Routing All Traffic from a Virtual Network to a Secondary WAN
If you want to send all traffic from a Virtual Network to the secondary WAN port, create a Policy Based Route with the following options:
- Type: All Traffic
- Target: Select the Virtual Network name
- Interface: WAN2
Access Cloud Services with Whitelisted IPs/IP Ranges
Configure a Policy-Based Route to match traffic destined for specific IP addresses or IP ranges associated with cloud services. This ensures secure access and control over which services can be accessed from within your network.
Country-Specific Content Access
Direct traffic from certain devices or applications (like a VPN client) to a VPN tunnel to access geo-restricted content. This is particularly useful for devices that do not natively support VPN connections.
Integrate with SASE/ZTNA Platforms
To enhance security, route all internet-bound traffic through a centralized hub gateway or third-party SASE/ZTNA platform for inspection and policy enforcement. This use case aligns with future support functionality.