subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
101 views 2 comments
by anonymous

Looking to protect mission-critical services on a dedicated SSID when on failover SIM.

RUT955 has 2 SIMs in it:

SIM1 (primary) - high usage amount/low cost/data cap

SIM2 - low usage/high cost/no cap

I want to allow a particular missions-critical SSID and a LAN port to have access to the internet when SIM1 is up, but if it fails over to SIM2 (due to exhausted data limit), only allow the local SSID to be used and stop LAN traffic.

Does anyone know if this is possible - maybe with a user script?



1 Answer

0 votes
by anonymous


I assume there is a reason why you are using the legacy firmware?

Firewall can be used in your case.

By default, both wired LAN and WiFi are in the same LAN zone. The same applies to both mobile interfaces - both are in the WAN zone.

So first, you need to separate the LAN into distinct zones. There are a couple of ways to achieve this. I would suggest taking a look at VLANs. We have a Wiki article here that describes how to manage communications between VLANs. The same principles can be applied to your case. VLAN configuration examples can be found here.

So when you have VLAN configured on your LAN ports, then you can separate mob1s2a1 from the WAN. Edit and remove the mob1s2a1 (SIM2) interface from the WAN zone. Created a new mobile2 zone for mob1s2a1 (where mob1s2a1 is in covered networks). After that, for the VLAN zone, allow routing only to the WAN zone (where wired WAN and mob1s1a1 (SIM1) interfaces are). For your normal LAN zone, where your WiFi network is, allow routing to both zones, WAN and the new mobile2 zone. This way, the VLAN network will only be able to access the internet via wired wan and mob1s1a1, but the devices in the WiFi zone will be able to access wired WAN, mob1s1a1, and mob1s2a1.

One of the alternatives to VLANs would be to create a new WiFi instance (SSID), put it into a separate (new) network, then allow it to access WAN and mobile2 zones, while limiting LAN zone to only WAN.

Kind Regards,


by anonymous
Hello Andzej,

Thank you for such a comprehensive answer; it's really helpful. I will work through it and test it.

I wish I could run the newer firmware; however, it's not supported on my model: RUT955H7VXXX. I've been hoping at some point, it would be.

Many Thanks,

by anonymous

Hi Ben,

That's unfortunate that you cannot install the new firmware.

By the way, not sure if you need this, but, in case the router is in a remote location and you are concerned that you will lose access to it when you make firewall changes, I would recommend setting up a working profile and a scheduler. With the scheduler, in case you lose access, the device can swap the profile at the specified time and the working configuration will be restored. More information about profiles is available here.

Good luck!

Kind Regards,