Outbound rules on SOHO MK3


#1

I have a SOHO MK3 and intended to use it to provide cellular failover for certain endpoints while blocking other endpoints. Prior to purchasing, I reviewed the manual for v6.3.3 to confirm it would fit my needs.

Now that I have the device and have configured it, I am running into an issue.
Under Advanced / PepVPN / Rules, I have a default any/any rule (at the bottom) set for “Priority” algorithm with “WAN: WAN” at the top and “WAN: Wi-Fi WAN” below it. “WAN: USB” is under the “Not in Use” heading.

For the devices that are supposed to be able to communicate over the USB modem, I have individual rules to allow them based on source IP. These are also Priority rules but include “WAN: USB” as the third/bottom connection option.

Generally, this works well. When I drop the wired WAN connection, the USB connection comes up and the devices allowed out work as expected while other devices are not allowed to traverse the USB connection.

However:

I have one device that, despite rules set otherwise, is still allowed to communicate out over the USB WAN connection. I have created an “Enforced” rule to set this device’s IP to “WAN: WAN” and tried a rule to set the device’s MAC address enforced as well. Despite these rules, this device continues to be allowed out over the USB connection. For what it’s worth, the device is an Aruba RAP-3WN remote access point that tunnels back to my office.

I’ve contacted support from the reseller that I purchased the SOHO from but that ended with a declaration that the rules on the SOHO are meant for the PepVPN and aren’t really intended to do what I am trying to do.

Before returning the device, I wanted to check here first in hopes of finding some better news.


#2

Does the discussion in this post below help? You might have to use the Outbound Policy stuff, not just the Firewall Rules.


#3

mjburns -
Thanks for the pointer but those are the policies I am using (they are under Advanced > PepVPN > Rules on the SOHO). I don’t have any firewall rules in play at this point.


#4

Can you provide screenshots below?

  • The sequence of the Outbound Policy (Advanced > PepVPN > Rules).
  • Details settings of each rule (Advanced > PepVPN > Rules > Click the rule).

Please share your firmware version.


#5

TK_Liew -
I’m running v6.3.3 as was shipped on my SOHO MK3.

I tried to post the screenshots but am apparently only allowed to post one image.

Here are my rules:

The first two rules are for the same device, one by destination IP and one by MAC (I’ve also had the same behavior with source IP, just didn’t have that rule configured at the time I took the screenshot). Both are set to enforce wifi-wan which isn’t connected. Despite this rule, this device is able to connect out over WAN and USB.

The 3rd, 4th, and 5th rules are for devices that are supposed to be able to communicate over USB when that is the active connection - this all works as expected.

The 6th/last rule, “Traffic default” allows everything else use of WAN and WiFi-WAN but not USB. With the exception of the Aruba device, this also works as expected.

When I have the WAN disconnected/unavailable and the SOHO has made the USB connection active, my “Active Sessions” shows two sessions that should be permitted and one session from 192.168.50.24 that should not.


#6

Please help to disable IPsec NAT-T and try again. Please find the screenshot below for better understanding.


#7

Perfect, that absolutely was the problem. Thank you for the help!