firewall rules in recursive wan failover set up

akarpas · April 23, 2021, 9:53am

Hei geeks,

I have one router with dual wan recursive failover set up, all works ok ut have some issues with some firewall rules.
add action=drop chain=forward in-interface=vlan10 out-interface=
!ether1-WAN
add action=drop chain=forward in-interface=vlan11 out-interface=
!ether1-WAN
add action=drop chain=forward in-interface=vlan12
out-interface=!ether1-WAN
add action=drop chain=forward in-interface=vlan14 out-interface=
!ether1-WAN
add action=drop chain=forward in-interface=vlan13 out-interface=
!ether1-WAN
add action=drop chain=forward dst-address-list=!RRTAP in-interface=
vlan15 out-interface=!ether1-WAN
add action=drop chain=forward disabled=yes in-interface=vlan10
out-interface=!ether7-WAN2
add action=drop chain=forward disabled=yes in-interface=vlan11
out-interface=!ether7-WAN2
add action=drop chain=forward disabled=yes in-interface=
vlan12 out-interface=!ether7-WAN2
add action=drop chain=forward disabled=yes in-interface=vlan13
out-interface=!ether7-WAN2
add action=drop chain=forward disabled=yes dst-address-list=!RRTAP
in-interface=vlan15 out-interface=!ether7-WAN2
add action=drop chain=forward disabled=yes in-interface=vlan14
out-interface=!ether7-WAN2

So one rule is for WAN 1 and one rule for wan 2 I had to disable all wan2 related rules as connections get messed up people complaining about losing connectivity.
Should I script if wan1 down to switch off wan1 rules and bring wan2 rules and vice versa or I should you another way advised by you. Thanks in advance.

rextended · April 23, 2021, 11:27am

1 + 1 = 0…

add action=drop chain=forward in-interface=vlan10 out-interface=!ether1-WAN

add action=drop chain=forward in-interface=vlan10 out-interface=!ether7-WAN2

(first drop ALL non ether1) + (second drop ALL non ether7) = drop ALL traffic (regardless is ether 1 or 7)

BUT… why care if some internal traffic go out trough one wan?
If is unwanted the problem is on the other parts of configuration, like routes or firewall NAT, with connection-trak not cleared after wan change.

anav · April 23, 2021, 12:48pm

The approach is incorrect in two ways.
One uses sourcenat, and Ip routes for traffic rules (both natting and flow).
If basic rules are not enough one uses mangling to control the flow of packets.

Firewall rules are just doors that open and close they are not smart to direct traffic.
That being said, lets say you have 20 vlans and you want to block traffic between them.
One rule will do it all at the end of the forward chain.

add chain=forward action=drop
DONE, all traffic between vlans is dropped and more widely ALL TRAFFIC to the LAN and from the LAN is stopped.

Before this rule then you will need to put in what you wish to allow, typically
allow lan to wan traffic
allow access to shared devices (such as a printer).

Suggesting, forget the config and clearly state what you are trying to achieve, its not clear what the problem is…