Satelite WAN firewalll

system · April 8, 2022, 9:12am

Hi,

I have a MAX BR1 to setup with a high cost satellite on the WAN port.

Wile using Satellite, I would like to the block everything but specific local IPs or subnet in order for our crew connected to a secondary SSID to be able to access these IPs/subnet.
But as soon as we switch to 4G or Builtin WiFi WAN it let them go through.

Any idea how to set this up ?

Thanks

dennis.hofheinz · April 8, 2022, 9:37am

Hi Florent,

have a look in the Outbound Policys.
Normal User VLAN Priority to 4G, second WiFi WAN
Special User VLAN Priority 4G and second WiFi WAN, third WAN1 (SAT)

thats it

BR
Dennis

system · April 8, 2022, 3:18pm

Hi Dennis,

Thanks for the reply.

Sorry, it will in fact be multiple external access points on the LAN.
Same setup I guess but on the IP Network instead of WiFi WAN ?

dennis.hofheinz · April 8, 2022, 3:20pm

Hi Florent,

I think the Firewall should help here.
to give better answers, I need to know more about your setup, best would be a network plan

BR
Dennis

system · April 8, 2022, 10:08pm

Hi Dennis,
Here’s the plan attached :

Basicaly the admin who’s connected on LAN 1 and WiFi must have full access to the whole network.

Crew members connected to LAN 2 through access points or any switch connected must not have access to the Satellite connected to the WAN port, although they can access GSM (4G/5G) WAN.

Thanks

dennis.hofheinz · April 11, 2022, 6:38am

Hi Florent,

Create a VLAN e.g. 111 for the Admins and a VLAN e.g. 222 for the Crew. Then you can easy use the Firewallroules to disable Crew members to the admin network.

The Admin Laptop is connected ofer WiFi not WiFi WAN I think, isn’t it?
So you can create a Admin WiFi SSID with VLAN 111 on it.

Where are you located?

BR
Dennis

system · April 11, 2022, 7:03am

Hi Dennis,

Yes Admin Laptop connected to WiFi, I meant by that he could use WiFi WAN as he will be close to the router.

This is a boat setup that will travel, there will be multiple external access points to cover each area.

When the Pepwave is set to 5G WAN or WiFi WAN in first priority, Crew should be able to use it.
The only they must not be able to use is the Satellite WAN.

dennis.hofheinz · April 11, 2022, 7:04am

exactly that is doable with the Outbound Policy in my first post

system · April 11, 2022, 7:18am

Ok thank you, so I don’t need to play with firewall rules, Outbound Policy should do the job alone.
Did some tests, I think I got it.

dennis.hofheinz · April 11, 2022, 7:20am

with outbound poilicy you can steer what “outlet” will be used
with Firewall rules you can block the access to different areas.

I would do 3 things:

create 2 VLANs (1 for Admins, 1 for Crew)
create oubound policys
create Firewallroules to block internal access from crew to e.g. the APs (if needed)

BR
Dennis

system · April 11, 2022, 2:57pm

After many tests, the outbound policy does the job.
Created 2 VLANs and disabled WAN for Crew VLAN with the policy.

Thanks a lot Dennis.