RUT241 with SIM (paid for by us) and wired WAN (paid for by manufacturer - sometimes)
I have a “badly behaved” piece of equipment on LAN.
We need to allow outbound NTP and SSH for it to send useful data (to us)
It loves to send data to “the mothership” (the manufacturer) that we do not care about and that we do no want to pay for (on our SIM). There is no user level access to switch off this data feed to “the mothership” and the manufacturer is interested in assisting; so it is up to us to sandbox the device.
If the client provided connectivity (wired LAN) is available (paid for by the manufacturer) it SHOULD be able to send any data over this connection.
If the client provided connectivity is NOT available then it SHOULD NOT be able to send the useless data via our SIM.
So:
I would like to allow outbound NTP and SFTP for this client via SIM
I would like to allow outbound NTP and SFTP AND general traffic on ports 80 / 443 etc for this client via WAN
I would like to block outbound general traffic on ports 80 / 443 etc for this client via SIM
It is currently configured to block all outgoing access on 80 / 443 using this method:
@markometerpoint It wouldn’t be port based in that case, just host/IP based. If you can identify the target host or subnet of the mothership, create the rule that it can only route to that destination via the hardwired WAN interface.
In that case, you should be able to configure Failover with a custom rule based on tcp dport for example… assuming your troublesome device is 192.168.1.113 and wants to communicate with mothership on tcp/8080…
Could I sanity check my understanding of the logic here please? (also for future reference / for future users?)
In enthusiastic layperson language:
The “policy” is added by editing the “default_rule” on the “Network Failover Multiwan” page. This doesn’t change the default rule. It’s just “a” screen where you are able to add a policy (to the device) which you can then select in “any” rule that applies on the device.
(that was a little confusing for me - I was looking for a screen to add policies without editing an existing rule)
The “policy” says “use WAN; and if that fails then become unreachable; rather than failing over to another interface”
I called it simlock as that made more sense in my own head. (simblock being a prohibited name on these routers - also confusing for me)
We then create a new rule where if the traffic is TCP from (in my case) 192.168.2.101 and it is going “anywhere” (0.0.0.0/0 ) then use the “simlock” policy so that it can either go to the wan port or go nowhere.
@markometerpoint Yes, the interface for creating new rules/policies is indeed a little confusing. I suggest also inspecting the raw config file at /etc/config/mwan3 to confirm that what you have created makes sense. But I believe your understanding is correct.
I think it is working. I would need to wait for wired WAN to die to confirm though. I’ve set a data cap on the SIM and we will take a “wait and see” approach rather than killing WAN on purpose - if it then eats the SIM data we know it isn’t quite right - or if it works great then it’s great.