Policy Based Routing?

We would like to be able to use 2 Internet connections at the same time and control the traffic via the respective Internet connection via Policy Based Routing.
But what is policy-based routing? And how do you set this up in a Watchguard Firewall?

In order to bundle several external connections, it is necessary that the Watchguard Firewall supports the MultiWan feature.

Depending on the model, this feature is either already activated or needs to be re-licensed.

With the MultiWan function you can use 2 DSL connections at the same time, but you can not yet control which protocol should run over which connection.

This works only with Policy Based Routing.

This controls which external port should be used for which firewall rule. For example, you could run all HTTP/HTTPs traffic over the 2nd DSL connection separately from all other connections.

The setup of MultiWan and Policy Based Routing is explained in the following steps.


  • 2 DSL lines incl. access data
  • Watchguard Firewall
  • if necessary MultiWan Feature Key!

Setup Multi-WAN and Failover

First, both DSL connections should be placed on the interfaces at the firewall.

To do this, configure 2 interfaces as External in the Policy Manager under Network -> Configuration and enter the DSL access data.

Policy Based Routing mit Watchguard XTM

Afterwards, the failover of the two ports can be set in the Multi-WAN tab.

watchguard setup policy based routing

Here you select the FAILOVER mode and specify an external IP to check the availability of the line, which is pinged by the firewall. Preferably an IP from the provider’s backbone or e. g. from the Google DNS server.
You can still change the default gateway (Gateway 0 / EXT1) via the configure menu.

By default, all traffic is always routed via gateway 0 (EXT1) and only switches to the other interface when it fails!

Policy Based Routing

In order for us to be able to control which traffic goes over which DSL connection, the interface has to be defined for the FW-rules which are supposed to go over the 2nd DSL connection (Gateway 1 / EXT2).

watchguard firewall policy based routing setup

Activate the check box in “Use policy based routing” and set the interface.
You also have to check the “Failover” option so that in case of a traffic failure, the EXT1 connection is available again.

In a short summary, this means that with MultiWan setup, all traffic goes via EXT1, unless you have specified the EXT2 interface in a firewall rule under Policy Based Routing!