MAC address-based Policy Routing with Dual WAN

Difficulty:  Expert

Minimum firmware version:  18.1.29

Goal

To use the 6350-SR's cellular modem in tandem with its primary WAN Ethernet port, but only allow devices with certain MAC addresses access to the cellular modem's Internet connection.

Setup

This article assumes the LAN ports are operating under default settings, which provide DHCP connectivity to devices connected to the 6350-SR's LAN ports.  For more details on the default settings of the 6350-SR, see the Default Settings section of the 6350-SR User's Manual.

For this setup, you will need the 6350-SR with both a primary WAN Ethernet connection, and a cellular modem connection.

You will also need to the MAC address of any client devices you want to always use the cellular modem connection.

Sample

The sample configuration below shows a 6350-SR with two Internet connections: a cellular-based WAN connection through the 6350-SR's modem, and a broadband-based WAN connection through the 6350-SR's WAN Ethernet port.  

This setup shows two client devices on a 6350-SR's LAN ports, a VoIP phone and a laptop.   The VoIP phone and the laptop receive their IP address via DHCP from the 6350-SR.

The policy-based routing we are going to setup will accomplish the following.

  1. The 6350-SR uses the Ethernet WAN as its primary interface.
  2. The 6350-SR has a cellular modem connection, used as a secondary WAN interface.
  3. The 6350-SR will drop any packets from LAN devices, excluding packets from the media PC, and prevent them from going out the cellular modem interface.

Sample Configuration

Open the configuration profile for the 6350-SR and make the following changes.

  1. Under Firewall -> Zones, add two new zones, one labelled modemwan, and another labelled ethernetwan.  Ensure the source NAT option is selected for both new zones.
  2. Under Modem, set the Zone to modemwan.
  3. Under Network -> Interfaces -> WAN, set the Zone to ethernetwan.
  4. Under Network -> Routes -> Policy-based routing, setup a new policy with the following settings:
    1. Interface:  Modem
    2. Source address -> Type:  MAC address
    3. Source address -> MAC address:  52:54:00:c2:a5:43
    4. Destination address -> Type:  Zone
    5. Destination address -> Zone:  modemwan
  5. Under Firewall -> Packet filtering, setup two rules rules to accomplish the following:
    1. reject all other LAN packets on the cellular modem interface
    2. allow LAN packets to go through the Ethernet WAN interface