How to block a port from WAN 2 on Failover

New here

How to block a port from WAN 2 on Failover



I have a MX68 (no built in cellular)  new install with two Netgear switches each on a different lan.  Voice on one switch and data on the other.  I have fibre link coming into WAN 1 and is primary.  WAN 2 is a cellular router and is set to failover from WAN1.  


Data LAN (switch V1 ) carries the data for all users and connects to port 3 on the MX


Voice LAN (switch v2) carries the VOIP for all phones and connects to port 4 on the MX.


What I would like to do is if there is a failover to only allow data from V2 out WAN 2 until WAN 1 comes back on.  


Is this accomplished by putting a firewall a rule in the firewall that block all traffic from port 3 going to port 2?


Will this have any adverse affects ?


would it look like this: 


Policy           Protocol                    Source                     Src port              Destination                         Dst port Comment

DENY              ANY.                    3                                          2 



Do I need to add anything to the route table?



New here

Sorry about the poor typing. Wrote this without my glasses...
Building a reputation


The best option for U is using the SD-WAN on your MX. 

You can set different firewall rules defining by subnet or service.


Security & SDWAN --> SD-WAN & Trafic Shaping





Johnny Fernandez
Network & Security Engineer

If you open a support ticket you can ask them to make WAN2 act like the cellular circuit.


Then you can use the cellular firewall rules. 


Note after doing this the cellular modem can strictly only be used for failover.

@PhilipDAth   This is what we do. Works well. You can also apply it at the template level and it will propagate to all networks on that template.


I was really happy to find this feature here in the community and immediately opened a support case to activate it.
Unfortunately I was told that this feature is for internal testing only because after a firmware upgrade it would be gone.
What are your experiences? I urgently need the possibility configure such FW rules.

I have done several firmware upgrades and the feature is still there.  

Building a reputation

One thing to note here. If this traffic is flowing over a Site-to-Site/Meraki AutoVPN, the cellular FW rules will not have any effect.

That's not how it works for us.  The rules are applied to all traffic coming through the firewall.   Even traffic between VLANs where the default gateway resides on the MX is subject to the firewall rules configured.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Community News