I have 2 Max HD2 routers configured as a layer 2 bridge over pepvpn, utilising 4G LTE as the WAN link (at both ends).
I’d like to restrict the traffic/ports (primarily multicast video) from crossing the bridge. I thought this could be accomplished by the incoming/outgoing firewall settings on both routers (eg, block all UDP on the known multicast ports). However none of the firewall settings appear to function/block any traffic. Is this expected behavior with the layer 2 bridge configuration in place, or am I missing something? Running firmware 6.3.2 on both.
The layer 2 bridge approach is highly desirable for this scenario, so I’d prefer to keep it if possible.
This is the reason people use Layer 2 tunneling, because they need the multicast, broadcast, etc traffic going across. Why do you feel you need to do the tunnel at layer 2? Especially since you are using cellular for your links…
I am attempting to extend what would normally be a simple ethernet cable connection to operate over cellular, but with the addition of some traffic limitations.
The two primary reasons why the layer 2 is desirable;
Some client devices (port servers, video datalinks) are not reconfigurable. The client devices must communicate in their native ‘just an ethernet cable’ scenario, where locked device configurations (including static network configs) are pushed across regularly.
There are a number of multicast streams on the network, the end scenario is I would like to limit which ones can pass, not completely block all multicast. It’s just easier to start by blocking everything and work back from there.
I tried a standard pepvpn setup initially, but as I cannot re-configure the client devices to look for a gateway it didn’t get very far.
Hope that helps. Are you saying it’s not possible with the layer 2 bridge?
Since you bridged both sides with Layer 2 SpeedFusion, both sides are communicating in layer 2 only (using MAC address to communicate). Hence, the firewall filtering (layer 4 and above) will not filter traffic for layer 2. To make it simple, both HD4 will act as a layer 2 switches after Layer 2 SpeedFusion was established.
Can share the graphical network diagram with IP address to illustrate the requirement? I can provide better advice after having better understanding on your environment.
Obviously the Layer 2 bridge mode works in-line with no configuration changes, but without being able to limit the multicast traffic it is unsuitable for an LTE connection.
The Video datalink cannot be reconfigured (default gateway 0.0.0.0). In previous tests with pepvpn and different subnets on either side, the video datalink was unreachable.
Seem the above network design is in Layer 2, you have layer 3 network (Other sites) connected to the same network ? Can you please include the layer 3 network info (different subnets on other side) into the diagram as well ? This will help us to give the correct suggestion. Beside that, may i know what is the traffics direction/type for other sites to the video datalink ?
