Firewall feature request


#1

Dear engineering team :slight_smile:

We have on several vessels installed HD4 Max where we use celluar when we are close to shore, VSAT (WAN1) when we are out of cellular coverrage and if VSAT fails then we have a backup sattelite connection (WAN2) with max 128 kbps up/down (Iridium Pilot and Fleetbroadband) but the big issue is that each Mb is costing us $10 :mad:

Therefore are we seeking the posibility to configure firewall rules, so when our backup sattelite connection is active, then are these rules only allowing specific traffic Ex. Outlook (exchange), teamviewer, incontrol and SSH to a specific subnet.

Best Regards

Niels Christian Skovbo Nielsen
IT Manager Offshore


#2

Hi Niels
We have a the same issue.
Our though was been able to MAC address (or IP) block via WAN.
e.g. everyone has access on Cellular and WAN one but on WAN two, only allowed MAC addresses can access. (Captain)
The captain should notice the slowness of the connection and the rest of the crew/guests will probably complain within a minute that the internet isn’t working!
Config would be something like the port forwarding rules where you can select which interfaces to apply the port forwarding rule.
Thanks!


#3

Hi Niels,

Below is the solution.

WAN priority on Dashboard

  1. Cellular1
  2. WAN1
  3. WAN2

Outbound Policy

  1. Exchange
  • Source: Any
  • Destination: IP Address, <Exchange public IP>
  • Protocol: Any
  • Algorithm: Priority
  • Priority Order: 1)Cellular1 2)WAN1 3)WAN2
  • Terminate Sessions on Link Recovery: Enable
  1. TeamViewer - This is a bit tricky since TeamViewer is using TCP 80 and TCP 443. I suggest to limit one PC in vessel to allow TeamViewer.
  • Source: IP Address, <TeamViewer PC IP>
  • Destination: Any
  • Protocol: Any
  • Algorithm: Priority
  • Priority Order: 1)Cellular1 2)WAN1 3)WAN2
  • Terminate Sessions on Link Recovery: Enable
  1. InControl2 - Please refer here then add similar rule below for all IP stated in the URL link.
  • Source: Any
  • Destination: IP Address, <InControl2 IP>
  • Protocol: Any
  • Algorithm: Priority
  • Priority Order: 1)Cellular1 2)WAN1 3)WAN2
  • Terminate Sessions on Link Recovery: Enable
  1. SSH
  • Source: Any
  • Destination: IP Network, <IP network> Mask <Subnet mask>
  • Protocol: SSH
  • Algorithm: Priority
  • Priority Order: 1)Cellular1 2)WAN1 3)WAN2
  • Terminate Sessions on Link Recovery: Enable
  1. Default rule
  • Default Rule: Custom
  • Algorithm: Priority
  • Priority Order: 1)Cellular1 2)WAN1 3)Mobile Internet Ensure this interface is not active]
  • Terminate Sessions on Link Recovery: Enable

Hope this help.