Firewall rules modification in Dual WAN config

  • Hi,

    I have 2 Vlans and LAN which are not supposed to talk to each other. On each interface I have two rules which are blocking traffic from particular interface to two other internal interfaces.

    So for LAN for example I have Block all IP4 traffic - on all ports - from LAN net -  to VLAN80 net - on all ports - on default gateway. And another similar rule for other VLAN.

    Should I modify those rules after introducing Failover so the gateway is changed from default to Gateway Group (WAN_Failover in my case)?

    Sorry slightly confused about it.

    The aim is that those networks do not talk to each other no matter which WAN interface is in operation due to Failover switch.

    In documentation there is this info which did not help me to understand it completely:

    Policy Route Negation

    When a firewall rule directs traffic into the gateway, it bypasses the routing table on the firewall. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list – or at least above any rules using gateways.


  • Then you can create an outbound rule to exclude all those VLANs explicitly, e.g. on LAN, destination "NOT VLANxxx", protocol "any", Gateway "xxx", does this sound good to you?

  • For block rules there is never any need/point in specifying a gateway. The traffic is being blocked, so there are zero bytes to be sent anywhere - it really does not matter which gateway the zero bytes are sent to  :D
    That Policy Route Negation note is for when you want to pass some traffic locally but you are also using policy routing for Failover/Load-balnce to the general internet. You might have a policy-routing rule like:
    IPv4 protocol any, Source LANnet, Destination any, Gateway load-balance-group

    A rule like that will push all traffic arriving on LANnet out the load-balnace-group which goes out some WAN(s) to the big bad internet. Even "local" traffic will get pushed out. There is nothing in policy-routing rules to look and see "hey, the destination is a local subnet on this box, I will ignore the specified gateway".

    So before a general policy-routing rule like that, you need to put ordinary pass rules for the local (and intranet) traffic that you want to pass locally.

Log in to reply