AN15 FW rules, should they be at the top or bottom of the FW list[SOLVED]


I want to put in the dual sim fail over support as described in AN15 but am not sure if I would put those FW rules at the top or bottom of my current FW.
Here is my current FW.txt:
0 1 #Allow outbound FTP traffic
0 2 pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state
0 3 #Allow any other outbound traffic and the replies back in
583985 4 pass out break end inspect-state
0 5 #Allow incoming IPSEC
188197 6 pass break end proto 50
0 7 pass in break end proto udp from any to any port=ike
60 8 pass in break end proto udp from any to any port=ikefloat
0 9 #Allow any traffic within an IPSEC tunnel in both directions
0 10 pass break end oneroute any
0 11 #Allow incoming SSH and SFTP
0 12 pass in break end proto tcp from any to any port=22222 flags S!A inspect-state
0 13 #Allow incoming HTTPS
0 14 pass in break end proto tcp from any to any port=https flags S!A inspect-state
0 15 #Block and log everything else including incoming telnet, http and FTP
114 16 block log break end

Where exactly should I put those ping FW rules?
And, do I need the “pass break end” or does that depend on where I put the two pings inspection lines?


Hi and welcome to Digi Forums,

You want to put these rules at the very top of any other firewall rules.
Note however that there is an integrated “Wizard” for setting up Dual SIM from within the web interface of the router (at the top left) which will do all of that configuration etc for you.

If you are still having issues with this setup, please reach out to our Support Team at (make sure to attach a debug.txt: )

Thank you


Digi Technical Support

Ok, I used the wizard and its working great.

I also put the Ethernet ports into port isolated mode and used Eth1 as primary and setup a ping on it as well. This is also working perfectly.

Thanx for the help.


Thanx for the help. league of stickman