Outbound Firewall Rule and Content Blocking tie with WAN interface


#1

I’m new to the PepLink products, and am trying to clarify how outbound rules are applied. I’ll describe how I think it works, and am looking for correction or confirmation of my understanding.

As best I can tell, if you can’t successfully filter/direct traffic with a single rule, then you are SOL.

Rules get evaluated in the order that you specify. That part if clear. The manual also says that once there is a match on the outgoing packet, subsequent rules are not evaluated.

So, for example, I can’t have two rules that apply to the same outbound packet.

  • I can’t have one rule that says to direct certain users only through one set of WAN port, and also have a rule that enforces HTTPS persistence.

  • I can’t give devices a priority order in which to use WANs, and also block certain protocols.

  • I can’t block certain protocols for certain devices only when they are using a particular WAN.

I do realize that by using some combination of Firewall filtering and user groups I might be able to accomplish select combinations of filtering, but I can’t have a series of outbound rules applied, any one of which might block a packet from passing.

As a little background, my application is on a boat where there are multiple WAN alternatives with widely varying availability, cost, and bandwidth. When the WAN connection is an unlimited wifi service in a town or marina, I want to let all users do whatever they want. When the WAN connection is via a 4G/LTE modem, I want to allow most user, but block one or two known pigs, and also block one or two web sites like youtube, and block one or two protocols to be sure my data plan doesn’t get sucked dry. And last, if my WAN connection is the satellite system that costs $2000 per GB, I want to block all access except for one or two specific devices and one or two specific protocols.

Thanks


#2

I think questions above are something you need to achieve with the requirements below. Solution will be provided below.

This is the main focus of this forum thread. Thanks for the detail explanation. Let me provide a solution here and hope this help.

This is the design.


1. You need to divide the users into multiple groups as below then create respctive SSID for them.

  • Create Vlan at Network > Network Settings > “?” of IP Settings > here > Proceed.
  • Create SSID at AP > Wireless SSID > SSID. Make sure you tie Vlan ID to the respective SSID.

1.1 VIP user or device - SSID VIP)

  • Untagged Vlan (Default Vlan)
  • IP subnet 192.168.50.0/24
  • Allowed to access internet via Satellite, Cellular and Wifi WAN

1.2 Advanced user or device - SSID User)

  • Vlan 51
  • IP subnet 192.168.51.0/24
  • Allowed to access internet via Cellular and Wifi WAN

1.3 Guest - SSID Guest)

  • Vlan 52
  • IP subnet 192.168.52.0/24
  • Allowed to access internet via Wifi WAN only

2. Create Outbound Policies below

  • Create Outbound Policies at Advanced > Outbound Policy


Function of the rules with your requirements

  • Condition - Wifi WAN will be available at this time.
  • So users associated with VIP, User and Guest will able to access youtube and the rest of the websites based on the defined rules above.
  • Condition - Cellular WAN will be available at this time.
  • User associated with VIP can go anywhere beside Youtube.
  • User associated with User can go anywhere beside Youtube.
  • User associated with Guest can’t go anywhere.
  • Condition - Satellite will be available at this time.
  • User associated with VIP can go anywhere beside Youtube.
  • User associated with User can’t go anywhere.
  • User associated with Guest can’t go anywhere.

#3

Thanks for the detailed suggestions, and sorry for my long delay in replying. I have been using one of those limited internet connections for a while and have been unable to reply…

I see a couple of obstacles to implementing what you suggest.

  1. I’m using a Balance 20 which has no AP, so I can’t create separate SSIDs for each user group.

  2. Even if I could create separate SSIDs, many of my devices are hardwired.

Any other suggestions?

What I’d really like to have are two things:

First is a way to apply a sequence of rules, not just the first one that matches. When a filter matches, it would allow the packet to then be evaluated against the next filter. If it gets past all the filters, then it goes through to the port. If it fails any filter along the way, it’s ejected. There are other ways to do it too, but the key is to be able to apply multiple rules. For example, it would be good to be able to limit certain traffic to selected WAN ports, but also be able to enforce HTTPS affinity.

The second thing would be to have groups of rules that can be enabled or disabled together as a set. By way of example, sometimes my wifi extender (connected to WAN port 1) is connected to an unlimited AP, and sometimes it’s connected to a metered AP. It all depends on where I am. It would be great to be able to invoke the more restrictive filtering rules as a group when I’m on one of the metered APs, and turn them off when on an unlimited AP.


#4

I have clearer picture now. Looks like you are having connection below:-
------------------------------------------------------))) AP1 (unlimited)
-------------(WAN1) -------------> Wifi Extender ))) AP2 (metered)
Balance 20 (WAN2) -------------> Satelite
-------------(Mobile Internet) —> Cellular

The easiest way is connect an AP to Balance 20 to achieve this. AP is providing connection to the mobile users. For those users with wired connection, I believe they do have their own place for them to connect to internet. If so, you may assign respective Vlan for their connected switch port.

This is not possible. Once the rule was matched, the traffic will not match with other rules. This is the design.

The Wifi extender will connect to respective AP automatically? If so, this is a bit tricky. Our box will treat this is an wired WAN. It will not know which AP it was connected. Can you further elaborate how this works?


#5

Yes, that’s a correct diagram, but there are further variations as well. For example, depending on where I am I might use one of a couple of different cellular modems to get the best reception and/or utilize the best data roaming plan. So it’s possible to want different rules for different cellular modems.

Pretty much all of my wired connections come in via a couple of other ethernet hubs, and I don’t think you can group ports together into a VLAN across switches. Or can you?

Thanks. That confirms my original supposition. What I was describing was a feature enhancement/addition to the product that I think would solve these types of problems. If Peplink decides to pursue such enhancements, I’d be happy to beta test them or otherwise provide feedback.

I generally connect manually, so know what I’m connecting to, and what metering limitations apply. If it were possible to have groups of rules that can be enabled or disabled together as a group (note: this is another feature enhancement suggestion), then I would be happy to manually select which group of rules to use when I connect to a particular AP. The challenge right now is that I need to go through every outbound rule, and every firewall rule and individually enable/disable then. It’s highly error prone, and a mistake can result in a huge data communications bill.

Thanks for your help on this, and for listening to the limitations that I have encountered in the product. Overall I think the Peplink products are excellent, and would love to see these few enhancements to make them even better for mobile applications.


#6

Manual way to change to WAN connection (you have multiple Wifi connections via WAN1 and multiple cellular connections via Mobile Internet) is not a good idea. Do you mind to share how many active WAN connection you are looking for? May be I can provide some idea here.

Thank you.


#7

Sure. Here are the variations that I have encountered so far, and more are possible.

  1. WAN1: Connects to my wifi extender (Microtik Groove). This at times connects to the following APs with distinct characteristics that warrant different filtering of traffic.

1A) AP is a cellular mifi device with a monthly GB limit so I want to restrict frivolous use, i.e. no youtube or netflix, etc.

1B) AP is an unlimited wifi service, so I want to allow full access for everyone.

1C) AP is a wifi service with a GB limit. Sometimes it’s a reasonably high limit, but sometimes it’s very low like 50MB. Different filtering is required depending on what the particular service provides.

  1. WAN2: Connects to my satellite modem and I only want to allow critical user access.

  2. USB Mobile Device: I currently have two of these, each with different plans with different providers. Despite what everyone says about putting any SIM card in any LTE device, I have never, and I mean never seen it actually work. I have tried three different devices with three different carriers, and they all only work with their matching SIM. So I need to use multiple USB LTE modems, selecting which ever is best for my current location.

3A) Haiwai USB device with Telus

3B) Pantech USB device with Verizon

Those are the current set of WAN connections that I’m juggling, but it can expand anytime.


#8

Thanks for the details info.

Most of your requirements can be achieve by using Max HD2. We do have a lot of used case for device that using embedded SIM. Of course, you need choose the right model. You should use MAX-HD2-LTE-US-T based on the provided info.

Basically what I suggested here still valid beside the Wifi WAN Connection. It is quite challenging to make it fully automate since we will not sure what type of Wifi service (unlimited and cap by usage) provided by the marina, then apply the appropriate rules to do the filtering.

I will move this forum to feature request for product team to take consideration.

Thank you.