Hi
Max transit cat 18 here. Beautiful product working flawlessly in my rv . I even have an external Poynting antenna . Generally thrilled with the solution.
What I’d like to do is restrict internet access to one PC client for o365, zoom , teams, corporate internet, vpn etc. And yet block everything else (roku clients, plex, synology) from chewing up cellular data. What’s the best way to accomplish this?
Question behind the question is the order of presidence in the access rules for example . Would it work to deny everything and then allow one Mac address?
Well, the first thing I’d mention that is Outbound Policies are your friend. While it is possible to meet your objectives using the firewall, the more friendly and adaptable solution is to use OBP. If that does not make sense to you send me a PM and I’ll send you an example of actual OBPs from a router or two in production.
Note that OBPs are interpreted from top down. As soon as a rule “fires” in a given situation all further rules are ignored.
As to your follow-on Q: You could certainly do something like that with the firewall but I think you’d find OBP more flexible and you can use the latetr for other purposes as well.
Add a top rule with one ip , and enforced to the wan you want.
Then the next rule is enforced to an inactive wan, or a inactive speedfusion tunnel.
Ok good thank you. So a firewall rule would be easy if #1 is a specific IP allow , and an “all deny” is #2 is above the default "all allow " which is always last. it wasn’t immediately obvious to me how to do this with the out bound policy I’ll PM for an example. Thanks again guys
You could implement either as a firewall policy or as an outbound policy.
One routes packets, one drops packets.
I just prefer outbound as most of my other rules are here for manipulating traffic.I also create a speedfusion tunnel that is disabled called ZZZ Drop traffic , and enforce route IPs to it.
III
Cool. The firewall access rule was trivial once I understood the execution rules. Works beautifully. I woukd like to understand how to route packets to nowhere though. Which of course is the same effect as dropping them. But here is an important question. Which method consumes the least number of cpu cycles and is the simplest from the state machine logic perspective? WaaaaY back in the day I was pretty good at simplifying boolean algebra to reduce the logic gate count lol . Yes alot has changed since then but I still like to conserve cpu !
Hmm good question , @TK_Liew or @sitloongs .
What uses less cpu, routing packets to an inactive wan or tunnel , or dropping them at the firewall?
Dropping them at the firewall will be using less CPU.
Fantastic. Thanks all I think my brain is tending to think about this as a packet dropping firewall function. In the interest of science it might be fun to create a routing function that does this only when the destination. Wan is cellular! Thanks
This really does seem like a classic use case for outbound policies. Using them would make it easy to prioritise the policies in whatever order you wish, and easily reorder or amend the policies later as use cases or needs change. While it seems you’re more comfortable with firewall rules than outbound policies, I would strongly suggest making yourself familiar with the latter as they’re really quite useful once you get the hang of them—you may find that you have additional use cases that are served using these rules, and I believe that having them all in one place and easy to manage would make administration easier in the long term.