OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: QuisaZaderak on July 23, 2021, 03:17:19 pm

Title: How can I exclude individual devices from accessing the backup connection?
Post by: QuisaZaderak on July 23, 2021, 03:17:19 pm

Hi,

Currently OPNsense 21.1.8_1 is in use.

I use a multi-WAN failover configuration with a fast DSL (but not so reliable) connection with 160 Mbit (Gateway Prio 254) and a fallback LTE connection with 15-30 MBit (depending on weather)(Gateway Prio 255).

The two ports are entered as failover group in the OPNSense. The failover works well in this respect. Unfortunately, LTE data rates are expensive in Germany and always have low data limits.

Furthermore, the DSL line often fails during summer storms and the local ISP is difficult or impossible to reach on weekends, so repairs sometimes take until Tuesday.

During the last time when the DSL was down again, one of my game consoles (unnoticed) started to download a big next-gen game update and quickly reached the data limit on LTE (what a joy throttled 64kBit/s are).

So now I want to set up a block for several devices in the house (on different VLANs/interfaces) so that they are not allowed to use the replacement connection.

The devices mostly use standard ports or ports that are also used by other devices that should not be blocked. However, I cannot specify a gateway directly in the port rules.

So how can I force a single device to access the Internet only via DSL without affecting the numerous other pass and block rules (which should remain valid).

Is there a way to force the gateway as desired? If yes, how?

Best regards,

Manuel

Title: Re: How can I exclude individual devices from accessing the backup connection?
Post by: mircsicz on July 24, 2021, 04:50:40 pm

I'ld create an alias and bind that to the gateway...

This way the traffic from that IP or MAC can only leave through the specified GW ;-)

(https://snipboard.io/oEtB4J.jpg)

Title: Re: How can I exclude individual devices from accessing the backup connection?
Post by: QuisaZaderak on July 24, 2021, 08:09:41 pm

Quote from: mircsicz on July 24, 2021, 04:50:40 pm

...and bind that to the gateway...

Creating alias is clear to me, but how do you mean bind to the gateway? Under the gateway itself I don't see a corresponding entry and when I define it as a rule, I must specify a port. And these ports (e.g. 80, 443, 3544, 4500...) are also used by other devices.

Title: Re: How can I exclude individual devices from accessing the backup connection?
Post by: mircsicz on July 24, 2021, 11:22:27 pm

You can also define "any" port but define a gateway for that rule... So if that gateway is unavailable it should work as expected...

Title: Re: How can I exclude individual devices from accessing the backup connection?
Post by: QuisaZaderak on July 26, 2021, 02:35:45 pm

Tested it. Unfortunately with that "any" port it is allowing all ports for that device and that is a no-go.

Do I really need to duplicate all exiting rules in that interface with changing all exiting rules to "all devices except" and "default gateway" and add each a new rule "that device" and "DSL gateway"  :o :(