Internal Firewall Rules Need VPN/WAN Option


#1

Hello-

I currently have a main office network (172.16.1.x/22) with a Balance 305 and a remote office (172.16.14.x/24) with a Balance 20. They are joined by PepVPN. We have a remote media server (172.16.14.50) that we update regularly from the main office. However, the PepVPN stays connected using the remote office’s mobile internet, and it’s possible that our employees can unknowingly use up our entire Verizon data quota transferring files to the media server when the cable WAN is down. In the past, I’ve just set the PepVPN on the remote office to not use the mobile internet. However, recent equipment purchases require that I start using the PepVPN with the mobile internet.

What I’d like is a way to set a firewall rule to deny any traffic from the main office network (172.16.1.x/22) to the remote media server (172.16.14.50) if PepVPN is using the mobile internet on either end of the connection. Perhaps you could add a ‘metered’ bool property to WANs and then add an ‘apply to metered connections’ property to internal firewall rules.

Thanks!
Ben Adams


#2

Can you use the Outbound Policy rules to do this, similar to what I was told in this post (https://forum.peplink.com/threads/6591-Add-ability-for-firewall-rules-to-be-WAN-inteface-sensitive)? Advanced > PepVPN > Outbound Custom Rules

What is shown below worked for me to only allow PC’s to access the Carbonite backup service only over the WAN so as to not eat up our entire AT&T data quota transferring backup files to Carbonite when the cable WAN is down. Maybe doing what is shown below will work for you by changing Destination to “IP Address” & “172.16.14.50”?



#3

Hey mjburns-

I tried making outbound policy rules, but they don’t seem to be applied to connections that occur within the networks, like pepvpn networks. To test it, I made a rule as you suggested, but I set the enforced connection to a disabled WAN. However, I was still able to connect to the destination, 172.16.14.50.

If the outbound policy rules were applied to traffic within pepvpn networks, this problem would be solved.

Thanks for the idea!
Ben


#4

Hi Ben,

Outbound Policy within SpeedFusion tunnel was in our roadmap. Stay tuned.