Satelite WAN firewalll


I have a MAX BR1 to setup with a high cost satellite on the WAN port.

Wile using Satellite, I would like to the block everything but specific local IPs or subnet in order for our crew connected to a secondary SSID to be able to access these IPs/subnet.
But as soon as we switch to 4G or Builtin WiFi WAN it let them go through.

Any idea how to set this up ?


Hi Florent,

have a look in the Outbound Policys.
Normal User VLAN Priority to 4G, second WiFi WAN
Special User VLAN Priority 4G and second WiFi WAN, third WAN1 (SAT)

thats it


Hi Dennis,

Thanks for the reply.

Sorry, it will in fact be multiple external access points on the LAN.
Same setup I guess but on the IP Network instead of WiFi WAN ?

Hi Florent,

I think the Firewall should help here.
to give better answers, I need to know more about your setup, best would be a network plan


Hi Dennis,
Here’s the plan attached :

Basicaly the admin who’s connected on LAN 1 and WiFi must have full access to the whole network.

Crew members connected to LAN 2 through access points or any switch connected must not have access to the Satellite connected to the WAN port, although they can access GSM (4G/5G) WAN.


Hi Florent,

Create a VLAN e.g. 111 for the Admins and a VLAN e.g. 222 for the Crew. Then you can easy use the Firewallroules to disable Crew members to the admin network.

The Admin Laptop is connected ofer WiFi not WiFi WAN I think, isn’t it?
So you can create a Admin WiFi SSID with VLAN 111 on it.

Where are you located?


Hi Dennis,

Yes Admin Laptop connected to WiFi, I meant by that he could use WiFi WAN as he will be close to the router.

This is a boat setup that will travel, there will be multiple external access points to cover each area.

When the Pepwave is set to 5G WAN or WiFi WAN in first priority, Crew should be able to use it.
The only they must not be able to use is the Satellite WAN.

exactly that is doable with the Outbound Policy in my first post

Ok thank you, so I don’t need to play with firewall rules, Outbound Policy should do the job alone.
Did some tests, I think I got it.

with outbound poilicy you can steer what “outlet” will be used
with Firewall rules you can block the access to different areas.

I would do 3 things:

  1. create 2 VLANs (1 for Admins, 1 for Crew)
  2. create oubound policys
  3. create Firewallroules to block internal access from crew to e.g. the APs (if needed)


After many tests, the outbound policy does the job.
Created 2 VLANs and disabled WAN for Crew VLAN with the policy.

Thanks a lot Dennis.