outbound policy rules checkup

I have the balance itself at

  • LAN ports 1-6 are set to untagged vlan, for important devices (most secure)
  • LAN port 7 is set to wifi vlan with a basic unmanaged access point connected (less secure devices)

I’d like to achieve:

  • to route enforced over speedfusion all important traffic, and isolate this for security from the wifi vlan.
  • Most wifi devices on to route over priority wan 1, then wan 2.
  • A couple wifi devices within the subnet to route over speedfusion

The dhcp server on the wifi vlan could be set to hand out ips from - netmask (?)
Then manually configure a couple wifi devices as,

Then set outbound rules:

  1. source : enforced speedfusion (this rule could be eliminated? Is there any difference in performance if it’s matched first or last in the rule list for the core services which are the main concern?)
  2. source : priority wan 1, wan 2
  3. source any destination any : enforced speedfusion
  4. https persistence (default rule, not sure if this is needed or could be eliminated?)

or could I reduce rules to only:

  1. source network : priority wan 1, wan 2
  2. source any destination any : enforced speedfusion (which will include any non-dhcp clients on the subnet and all most important machines on the untagged vlan.)

I prefer your third option - I find it quite poetic in its efficiency.
Assume you’re disabling inter vlan routing too to keep the VLAN traffic separate?


Thanks very much. Always really appreciate your time.
Yes, I unchecked Inter-VLAN routing under LAN settings.

For belt and braces you may also want to set the internal firewall rules to deny by default, rather than permit.

For outbound policies I generally try and be as specific and explicit in their crafting as possible, generally I do not rely on the default rule to do anything other than as an action of last resort.