We use a RUTX09 and we normally have a primary wired WAN connection and a Mobile 4G connection for our internet access. We have upgraded from version 07.07.3 to 07.17.4 and I have noticed when the router is rebooted, and when the wired WAN is either disconnected or not configured upstream, this leave the only connection to be the Mobile 4G.
But when the router boots up, it will negotiate with the SIM provider, and after 2 seconds, it is disconnected, but yet show setup complete.
I am using Multi-WAN. When the wired WAN is configured correctly and multiwan policies pass, there is no issues. But this is observed when the only interface that can be used is 4G.
Also, when I disabled failover on the interfaces, 4G connects ok.
I have extended the timers on the multiwan interface config, but this does not help.
I have tested this up to version 07.19.2 and the same issue occurs.
I have initially tested factory resetting the device, and accessing the bootloader menu to install RUTOS 07.17.4. I have reapplied all the configuration we would use via the RMS templates and turned the device off and back, to which this is now connecting ok and mwan is working ok.
Firstly, is there an upgrade path from RUTOS 07.07.3 to 07.17.4? This would be good to include on the firmware downloads page.
Secondly, how do I resolve this issue with devices that are remote? Do I downgrade back to v07.07.3, then conduct an upgrade path?
I have done this upgrade path and the 4G connection works up until 07.16.1. Once I upgrade to 07.17.4, I experience the same issue as I original have when upgrading from 07.07.3 to 07.17.4.
Is there a software patch or configuration that can be applied as the issue occurs when I upgrade above 07.16.x. So, something has changed in the 07.17.x release.
In the release notes for 07.17 there is this note - Note: To ensure optimal performance, this firmware version has been removed after identifying a situation where the Failover functionality may not operate as expected.
What has changed in the config, software or scripts that affects devices upgrading to this version and above?
Another thing I noticed is when I change the Output chain in the firewall global settings to Accept when we normally have this set to Drop, then makes the mobile interface receive an IP address and resolves the issue.
I would still like guidance around this issue as this deviates from a global deny all policy.
Why would changing the global setting fix this issue when the mobile interface is part of the WAN Zone and Output chain is set to Accept. Can you explain the Firewall global settings for Input, Output and Forward and how this differs from the zones.
As this is a firmware migration issue, it cannot be properly resolved without reinstalling the firmware via the bootloader menu, which unfortunately cannot be done remotely.
It is difficult to determine exactly why changes to the global firewall settings would impact mobile connectivity in this manner, as the root cause appears to stem from the software migration itself. However, by default on our router’s Output is set to Accept. Do you have custom traffic rules set up for internet connection?
Regarding your question below:
The global firewall settings define the default action taken for the INPUT, OUTPUT, and FORWARD chains when a packet does not match any existing rule
INPUT applies to traffic destined for the router itself (for example, SSH access to the router).
OUTPUT applies to traffic originating from the router (for example, the router accessing the internet).
FORWARD applies to traffic passing through the router (for example, LAN → WAN internet traffic).
For firewall zones, the settings apply specifically to traffic associated with the zone’s interfaces:
Input defines the policy for traffic entering the zone.
Output defines the policy for traffic originating from and leaving the zone.
Forward defines the policy for traffic forwarded between networks that belong to the zone.
Yes, we use custom firewall rules to specifically permit traffic and deny everything by default. The only place where we have Accept set, is on the output for the WAN zone. Just so connections to RMS, DNS, etc does not need to specific in the rules but it is controlled within the router’s config.
Thank you for clarifying about the global firewall settings, this is what I thought to be, and to be a workaround until the routers can be factory restored.
