I’m using a Balance One Core to administer a shipboard network. I’ve found a lot of useful information for restricting access to the expensive Sat link and have implemented them. Thanks for all the great guidance I’ve found on the board so far.
Now, I have some questions regarding priority of the various rules which I haven’t found elsewhere on the boards.
The general goal is this:
I have a shipboard network, entirely wired. I can administrate, but don’t really have the ability to change the existing network architecture (controlled by company policy).
We have 3 WAN sources.
WAN 1: Dockside Wifi AP, wired to the WAN 1 port (preferred for cost and speed, but only available at the dock)
WAN 2: Fleet Broadband connection (expensive, but available whenever the Wifi is not)
Mobile WAN: A verizon card that is used for the rare cases when the other two are not available.
I would like to allow the senior management and the email server access to FBB, and restrict access for the rest of the network to only WAN1 and Mobile. I first accomplished this using the Firewall Access rules and just manually enabling an “Allow All” rule while connected to Wifi. By learning more about the Outbound Policy I have been able to replace these rules with policy and all seems to be working well. However, there are still a couple of outstanding questions I’d like some guidance on if possible.
Just by luck, the machines I want to give access to fall into a convenient CIDR range (10.x.x.9 - 10.x.x.15). I entered 10.x.x.9/29 in the Source IP Network setting. This is a basic question, but everywhere I look up CIDR it only talks about netmasking for purposes of subnetting. Will it work correctly like this, only allowing the IPs between 9 and 15 inclusive? Or would I be better served by just entering the IPs individually? It seems to be working fine from watching the Client List, but I’d like to get things to a set and forget status, so no one will have to mess with (and potentially break) the rules in the future.
I would like to put one of these IPs onto a schedule, only allowing access to the FBB for a few hours a day to get naviagation updates. I did this before using firewall rules, and enabling an “Allow All” rule placed above the schedule while on WAN 1 (in port). But now with the policy, I’m not sure how to accomplish the same thing. My concern is that if I put the policy on a schedule, it will only allow access during those hours even when we are connected to WAN 1. I’ve thought perhaps I could do this with the Firewall Access rules, but I’m not sure how priority is determined given a conflict. For example, if the outbound policy is set to priority for the three connections, but the access rule says it is only allowed on a schedule, which will take precedence. In my testing so far, it seems like the outbound policy is winning.
My goal is to create a set of rules that will restrict this IP to a few hours while on WAN2 (FBB), but leave it open while on WAN1, without anyone needing to access the Balance Admin.
Can anyone offer suggestions on how to solve this issue, or some guidance on how the different rulesets interact with each other?
Thanks very much for all the responses I’ve already seen, this board has been extremely useful.