Problem reaching a wan interface


The main goal it’s that all USERS can reach the WAN WIRED interface and allow only for USER04 and USER05 go to internet trough WAN SIM interface.

I’m not sure if is importan but i’m able to reach USER01 to USER03 from USER04 and USER05 but not backward.

My zones are:

Best regards


It is definitely possible to achieve the desired configuration, however, one important note is that with your current firewall zone configuration, all WAN traffic can reach the LAN clients. This is a potential security risk and if the WAN networks are not trusted, WAN forwarding to LAN and OpenVPN should be disabled. Additionally, masquerading (NAT) should be enabled on the WAN zone, and (usually) not the LAN, as the operator will drop any packets with LAN source IP address.

As for your requirements, in order to achieve them, we will need to split the WAN zone into SIM1 + SIM2 and Wired WAN. This can be done by navigating to the general firewall settings (Network → Firewall → General Settings) and creating a new zone. We can call it Mobile for simplicity. The configuration should look like so:

Make sure to remove the mobile interfaces from the other WAN zone (and rename it to WiredWAN for simplicity).
On the OpenVPN zone, enable forwarding to WiredWAN (but not mobile wan!) and set the Forwarding chain to Accept. The final firewall zone configuration should look like so:

With this configuration:

  • RUTX50 LAN clients should be able to reach both WAN interfaces, as well as OpenVPN hosts;

  • OpenVPN clients will be able to reach the RUTX50 Wired WAN and LAN interfaces;

  • None of the OpenVPN or LAN users will be reachable from either of the WAN interfaces;

Additionally, make sure all of the necessary routes are pushed from the OpenVPN server. In this case the server would need to know that RUTX50 contains the following networks: (not sure about the size of this network, it needs to be adjusted accordingly)

Best regards,


Thanks for the quick reply.

I’m trying to reach a server trought WiredWAN ( with this config but i can’t i beleive that i must create a static rule, right?

I do this but still without working

I try the IPv4 Gateway for the WiredWAN and the Ip that the RUTX50 obtain from that network and nothing

This is my Interface Priority


Once the OpenVPN it’s working the local users start to navigate trought that Tunnel and i need they continue trought the WAN SIM and block the remote users to use WAN SIM.

Instead of create routes rules at the OpenVPN can i create forwading rules in the RUTX50?

Best regards


No static routes should be needed in this configuration. Could you try enabling load balancing (Network → Failover → Select Load Balancing) and check if that helps?

This topic was automatically closed after 15 days. New replies are no longer allowed.