Thanks to my mates @giacomo and @davide_marini we have a new package nethserver-firewall-base ON_QA
The Firewall rules page now allows creating a new type of rule: Route to <multi WAN provider>.
This is how the things could be arranged: what do you think?
I like it.
I’d change the word “Divert” to “Route”, but I hope in a native English speaker suggesting a better wording.
“Divert SMTP traffic…” is just the rule description. It’s a free text label entered by the admin.
See the screenshot below:
Facepalm. 
I should have gotten it from the first rule about YUM.
I like very much the New UI: bigger font, the description below the rule, drag’n drop icon and a single panel for rules and routes.
I’d like to know a few thoughts from our firewall experts: @deft @alexcsilva @lswart @AZChas @Adam @malvank @hgeorge123 @josue17 @Matteo_Contoli @Nas @mabeleira @warren_midgley @medworthy @vhinzsanchez and @JOduMonT
Well this should be fun to test with. Looks like a wonderful addition!
Thanks @alefattorini, not exactly an expert but knowledgeable. I’d like to check but it may have to wait a week or 2. What version of NS are we talking about here?
Currently 
NethServer-testing
And you’re fine 
The new firewall is already released and you can find it inside the updates repository
Hi.
I have just got this running and I have to say it works as intended so far. In my setup, NethServer is configured as the gateway and LAN hosts traffic goes through the correct WAN defined by this policy. I tested via ‘traceroute’.
I have an observation though. It seems that on NethServer itself the policy does not get applied. Doing a ‘traceroute’ on the NethServer machine shows that the traffic goes to the default WAN and not the one mentioned in the policy.
Is this normal behaviour?
Thanks!
Hi Ov1 and welcome on community,
Could you show your firewall and multiwan configuration?
Yes.
The technical reason is that the routing decision is taken in the pre-routing chain.
The rationale behind this behaviour is that you rarely need to do policy routing for the firewall and, if needed, it’s usually done with software specific options (i.e. tcp_outgoing_address for squid).
Finally, if you really need a route for traffic originating from the firewall, you could use a custom template for /etc/shorewall/tcrules to add a rule like:
0x20000 $FW 0.0.0.0/0 tcp 80
man shorewall-tcrules for the details.
Did you know that OpenMediaVault have a firewall configuration interface?
I just discover it:
The design is not really different, but have one advantage, we can see all rules.
Can we imagine the Nethserver GUI with all rules displayed, even the “zones” rules ( green, blue, oreange, red)?
I would like to di it.
Do you prefer these rules to be editable or not?
Good question…
We have two paths here:
The second path: As Nethserver is very modular, and by consequence, versatile, all the rules are editable… This state let the sysadmin more responsable about these rules…
To prevent any accident, a possibility to cancel the last action ( when things gone bad ) or the ability to run the fisrt script to make these preset rules back.
And to make a wiki page with the preset rules to inform, learn and eventually create back there rules…
In my point of view, I have a preference for the second path, with the sysadmin more responsable
Why somebody who is not sysadmin can reach the NS settings?
The users have their own GUI, without interfere with NS settings.
The sysadmin, by definition, must do everything ( https://en.wikipedia.org/wiki/System_administrator ).
"A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers.
The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers he or she manages meet the needs of the users, without exceeding the budget.
To meet these needs, a system administrator may acquire, install, or upgrade computer components and software; provide routine automation; maintain security policies; troubleshoot; train and/or supervise staff; or offer technical support for projects."
The apprentice sysadmin can learn on VM.
Why are we tempted to complicate everything?
Because Nethserver is for everybody, from non-expert user to real skilled sysadmin.
I like to think that non-expert learn when using Nethserver and become more and more skilled 
I totally agree, for this reason I like the “second path”, make all firewall rules editables
Perfect! For all this guys there is VM. They must learn on fully functional NS, not on fake NS!
