Block connectivity via SIM WAN but allow via wired WAN for specific LAN client

RUT241 with SIM (paid for by us) and wired WAN (paid for by manufacturer - sometimes)

I have a “badly behaved” piece of equipment on LAN.

We need to allow outbound NTP and SSH for it to send useful data (to us)

It loves to send data to “the mothership” (the manufacturer) that we do not care about and that we do no want to pay for (on our SIM). There is no user level access to switch off this data feed to “the mothership” and the manufacturer is interested in assisting; so it is up to us to sandbox the device.

If the client provided connectivity (wired LAN) is available (paid for by the manufacturer) it SHOULD be able to send any data over this connection.

If the client provided connectivity is NOT available then it SHOULD NOT be able to send the useless data via our SIM.

So:

  • I would like to allow outbound NTP and SFTP for this client via SIM

  • I would like to allow outbound NTP and SFTP AND general traffic on ports 80 / 443 etc for this client via WAN

  • I would like to block outbound general traffic on ports 80 / 443 etc for this client via SIM

It is currently configured to block all outgoing access on 80 / 443 using this method:

https://wiki.teltonika-networks.com/view/Blocking_Internet_Access_for_LAN_Clients

If there was a way to select only mobile interfaces instead of the whole of WAN that would be ideal.

Assistance or links to further relevant reading material would be very welcome.

(I understand that iptables are a thing but I have never worked with these)

Can you not use Policy Based Routing to achieve this?

Where would I choose specific ports on that @luckman212?

(the device on LAN should still be able to use SSH/SFTP via mob1s1a1 for example)

@markometerpoint It wouldn’t be port based in that case, just host/IP based. If you can identify the target host or subnet of the mothership, create the rule that it can only route to that destination via the hardwired WAN interface.

@luckman212 if the mothership were a box sat under a desk in an office on a static IP that would work. :s-)

To make things fun here both the mothership and the legitimate destination are AWS based; so I don’t think that works for us in this instance.

Blocking ports for a specific LAN devices on mobs1a1 but allowing on wired WAN is I the route we need to take here.

In that case, you should be able to configure Failover with a custom rule based on tcp dport for example… assuming your troublesome device is 192.168.1.113 and wants to communicate with mothership on tcp/8080…

Add new policy

Create custom rule

Move it above default_rule

2 Likes

Thanks @luckman212!

Could I sanity check my understanding of the logic here please? (also for future reference / for future users?)

In enthusiastic layperson language:

The “policy” is added by editing the “default_rule” on the “Network Failover Multiwan” page. This doesn’t change the default rule. It’s just “a” screen where you are able to add a policy (to the device) which you can then select in “any” rule that applies on the device.

(that was a little confusing for me - I was looking for a screen to add policies without editing an existing rule)

The “policy” says “use WAN; and if that fails then become unreachable; rather than failing over to another interface”

I called it simlock as that made more sense in my own head. (simblock being a prohibited name on these routers - also confusing for me)

We then create a new rule where if the traffic is TCP from (in my case) 192.168.2.101 and it is going “anywhere” (0.0.0.0/0 ) then use the “simlock” policy so that it can either go to the wan port or go nowhere.

Repeat for https traffic on 443 (or anything else that you like to block)

And then move above the default rule so that it applies this rule first.

I would NOT have got here without the worked example/screengrab presented - THANK YOU for those. :slight_smile:

(and having re-read this “wanlock” rather than “simblock” as a name makes more sense for the rule)

@markometerpoint Yes, the interface for creating new rules/policies is indeed a little confusing. I suggest also inspecting the raw config file at /etc/config/mwan3 to confirm that what you have created makes sense. But I believe your understanding is correct.

Is the rule working for you?

Thanks

I think it is working. I would need to wait for wired WAN to die to confirm though. I’ve set a data cap on the SIM and we will take a “wait and see” approach rather than killing WAN on purpose - if it then eats the SIM data we know it isn’t quite right - or if it works great then it’s great. :slight_smile:

This topic was automatically closed 40 hours after the last reply. New replies are no longer allowed.