Cloud Gateways Switching WiFi Physical Security Integrations
What's New Support
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Physical Security Integrations

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Gateway & Routing
  4. Features & Configuration

UniFi Gateway - Policy-Based Routing

Policy Based Routes allow you to flexibly direct traffic through specific network interfaces—such as a particular WAN port or a VPN tunnel—based on custom rules and conditions.

For a full overview of UniFi’s Traffic and Policy Management capabilities, see here.

For a full overview of UniFi's Network and Cyber Security capabilities, see here.

Requirements

When To Use Policy-Based Routing

There are many possible applications of policy-based routing, however some of the common use-cases include:

  • Split Traffic Across WANs: Direct specific types of traffic through different WAN interfaces (e.g., WAN1 vs. WAN2).
    • Send video conferencing (Zoom, Teams) through a dedicated, low-latency fiber WAN, while all other traffic goes through the default WAN.
    • Force guest VLAN traffic to go through a filtered or throttled WAN.
  • Proxy Traffic Through VPN: Force certain devices or destinations to route through a VPN tunnel instead of the default WAN.
    • Send outbound traffic for specific services (e.g., CRM, HR portals) through a secure tunnel to a Zero-Trust Exchange (e.g., Zscaler or Cloudflare). 
    • Use a VPN Client (e.g., NordVPN) to overcome geo-based content restrictions.

Configuring Policy-Based Routes

  1. Navigate to Policy-Based Routing Rules: Follow the path depending on your UniFi Network version:
    1. Network 9.4: Settings > Policy Table > Create New Policy > Route
    2. Network 9.3: Settings > Policy Engine > Policy-Based Routes > Create Route
  2. Create Name: Assign a name to the rule.
  3. Select an Interface: This is VPN tunnel, WAN (Internet), or local network interface specified traffic will be sent through.
  4. (Optional) Configure the Kill Switch Toggle
    1. Enabled: If the specified interface goes down, traffic will stop completely.
    2. Disabled: If the specified interface goes down, traffic will instead flow through the default interface, or the interface with the next highest priority according to other routing rules.
  5. Configure Source and Destination: Traffic meeting all specified criteria will be routed through the interface configured in (2).
    1. Source
      1. Any: Applies to any traffic originating from inside the local network.
      2. Device / Network: Specify certain networks (VLANs) and/or devices.
    2. Destination
      1. Any: Applies to any, no matter what its destination is.
      2. IP: Specify certain IP addresses or IP address ranges, and ports associated with the destination traffic.
      3. Domain: Specify one or more domains associated with the destination traffic.
        Note: Requires the client devices to use the UniFi gateway as the DNS server.
      4. Region: Specify one or more countries associated with the destination traffic.

Examples

Sending Streaming Traffic through a VPN

If you want to send specific streaming traffic from your Apple TV to a VPN Client tunnel, create a Policy Based Route with the following options:

  • Type: Specific Traffic
  • Category: Domain Name
  • Domain Name: Add one or more domains used by the streaming service
  • Target: Apple TV
  • Interface: VPN Client

Routing All Traffic from a Virtual Network to a Secondary WAN

If you want to send all traffic from a Virtual Network to the secondary WAN port, create a Policy Based Route with the following options:

  • Type: All Traffic
  • Target: Select the Virtual Network name
  • Interface: WAN2 

See WAN Failover and Load Balancing for more information.

Frequently Asked Questions

I have a TV but it does not support VPNs. Can I use Policy Based Routes to send the TV's traffic over the VPN?
Yes. First configure a VPN Client to a provider of your choice and then add a Traffic Route matching the TV. See the examples section for more information.
I am using a secondary failover WAN. Can I use Policy Based Routes to send traffic to this WAN port?
Yes. See the examples section for more information.
What traffic will flow through the VPN?
By default, only traffic destined for a remote local network will flow through the tunnel. It is possible to send all or specific Internet traffic by creating a Policy-Based Routing rule.
Does UniFi support integration with SASE and/or ZTNA platforms like ZScaler or Cloudflare?
Yes. Create an IPsec Site-to-Site VPN (route-based) with the SASE/Zero-Trust exchange, and then create a Policy-Based Routing rule to send all Internet traffic through the tunnel.
Was this article helpful?