Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules modification in Dual WAN config

    Routing and Multi WAN
    3
    3
    797
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sebna
      last edited by

      Hi,

      I have 2 Vlans and LAN which are not supposed to talk to each other. On each interface I have two rules which are blocking traffic from particular interface to two other internal interfaces.

      So for LAN for example I have Block all IP4 traffic - on all ports - from LAN net -  to VLAN80 net - on all ports - on default gateway. And another similar rule for other VLAN.

      Should I modify those rules after introducing Failover so the gateway is changed from default to Gateway Group (WAN_Failover in my case)?

      Sorry slightly confused about it.

      The aim is that those networks do not talk to each other no matter which WAN interface is in operation due to Failover switch.

      In documentation there is this info which did not help me to understand it completely:

      Policy Route Negation

      When a firewall rule directs traffic into the gateway, it bypasses the routing table on the firewall. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list – or at least above any rules using gateways.

      Thanks

      1 Reply Last reply Reply Quote 0
      • E
        edwardwong
        last edited by

        Then you can create an outbound rule to exclude all those VLANs explicitly, e.g. on LAN, destination "NOT VLANxxx", protocol "any", Gateway "xxx", does this sound good to you?

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          For block rules there is never any need/point in specifying a gateway. The traffic is being blocked, so there are zero bytes to be sent anywhere - it really does not matter which gateway the zero bytes are sent to  :D
          That Policy Route Negation note is for when you want to pass some traffic locally but you are also using policy routing for Failover/Load-balnce to the general internet. You might have a policy-routing rule like:
          IPv4 protocol any, Source LANnet, Destination any, Gateway load-balance-group

          A rule like that will push all traffic arriving on LANnet out the load-balnace-group which goes out some WAN(s) to the big bad internet. Even "local" traffic will get pushed out. There is nothing in policy-routing rules to look and see "hey, the destination is a local subnet on this box, I will ignore the specified gateway".

          So before a general policy-routing rule like that, you need to put ordinary pass rules for the local (and intranet) traffic that you want to pass locally.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.