URL Filtering by WAN
Hi,
I have received reports from some customers in a certain region who use unreliable internet service providers.
Current scenario:
WAN1 - ISP 1 ([fiber/FTTH] fast and unlimited)
WAN2 - ISP 2 ([cable/HFC] slow and unlimited)
WAN3 - ISP 3 ([cellular networks 3G/4G] very slow and limited to 20 GB per month)
WAN1 and WAN2 can be used without any access restrictions.
WAN3 is configured as a "Backup WAN" and should only be used if WAN1 and WAN2 are offline.
The settings (OC200) under Network Config -> Internet are as follows:
Load Balancing Weight: 20:1
Application Optimized Routing: True
Link Backup: True
Primary WAN: [WAN1, WAN2]
Backup WAN: [WAN3]
Failover Mode: Enable backup link when all primary WANs fail
Recover Mode: Always Link Primary
While WAN1 and/or WAN2 are available, network users may be using services that generate high data traffic (downloads and uploads), such as streaming and gaming, for example.
When WAN1 and WAN2 go down, the backup link (WAN3) is activated, and if traffic continues, the data allowance from ISP 3 is reset to zero within a few minutes.
What I want to do is allow only certain URLs to be accessed via WAN3, such as banking websites, government websites, and the ERP system website.
Can someone help me configure it so that URL filtering can be applied only to WAN3?
I've already looked all over the web interface, but I can't find it; I think it might have to be done via the CLI.
Thank you in advance.
You should be able to achieve this with policy routing
Create the following policy routing rule, make sure the "Use the other WAN port...." checkbox is NOT ticked. This will force all internet access over either of your primary WANs (you need to select wan 1 and 2 in the WAN box)
Then create a domain group, enter in the URLs you want to permit over the backup wan 3
Create another policy route rule, set the destination as the domain group you made, and TICK the box that says "Use other WAN ports...", and select all three WANs in the wan box
This is the only way i can think of to achieve this right nw - load balancing should force all URLs to primarily use wan 1 and 2 as necessary, you shouldnt see any traffic over wan 3 with these policy routes unless the main ones go down....i think
You may actually need to create the specific domain group rule first, im not sure if policy routing follows the top down first match wins like ACLs do, might need to play around with it
Thank you very much for your reply.
I set up a test lab at home and spent the whole day running tests before changing the settings on the customer's network, but I only have two WANs.
WAN2 - ISP 1 (fast and unlimited)
WAN3 - ISP 2 (slow and limited)
I think I did what you described, and unfortunately it didn't work out that way, but it showed me a direction to continue researching routing, since I believe the firewall should be handling that task.
I tried reversing the order because of the "first match wins" rule, but it didn't work.
While reading the Omada manual, I saw that if Link Backup was enabled, it would take priority in routing, so I disabled it.
It seems to have worked, but not consistently, since the domain registration in "Allows Domain" behaves very unpredictably and fails or works inconsistently.
I added the domain "*.wikipedia..." to the list, and that alone should have been enough, but:
*I had to post an image because you can't post text from links.
A few coworkers and I are going to keep trying, but it’s really frustrating.
I had already been looking into changing the operating system on the ER7206, but unfortunately, it's not possible.