Only allow 1 VLAN to access mobile Internet & block the rest


#1

We are using a Balance 305 for a small ISP. We have 2 WAN ports connected to fiber. We are looking to add a mobile Internet device to the router but do not want it to ever be available as a failover for customers. Our desire is to have it available for our network admins to access the router in the case of a failure on both WAN ports. In addition, we would like our internal management VLAN (VLAN 5) to be able to access the mobile Internet device for outbound traffic in the event of a dual WAN failure. This way, our management servers can still send emails and SMS pages to our techs if both fiber lines go down.

I don’t see a way to set this up where only VLAN5 will ever have access to the Mobile Internet WAN and I can exclude all other VLANs. We will use a DDNS service to be able to come in to the router from the outside using the mobile Internet WAN.


#2

You can setup your outbound policies for each VLan. Use one of the algorithms that allows you to choose your available WANs (priority, weighted balance, Overflow, etc). For your management VLan rule include the cellular WAN, and exclude it from all others. You can also setup an internal firewall rule to only allow traffic to that WAN from the management VLan as a “just in case” type of scenario where you can’t achieve exclusivity in your outbound policies.


#3

I’ve been looking there but I can’t make it work. We use “Overflow” as our algorithm. With Overflow, you don’t have the ability to exclude a WAN, just change the order it tries them.

We need to use Overflow to keep traffic on WAN 1 until it is saturated and then overflow to WAN 2. However, if they both go down, we don’t want it to Overflow to Mobile Internet and I can’t seem to prevent that.

In Outbound Firewall, there is no way to limit the use of a WAN connection.

In “Priority” mode, you can make a WAN connection “unused” but that option does not exist for “Overflow”. It should.