Best Of
Re: Adding a second external IP
@Atomicweight said:
Hi all,I've got a T80 firebox handling traffic in/out of the building. I have two external IP's given to me by my ISP.
Current setup:
External interface on firebox has x.x.x.132
Internal (trusted) interface has 192.168.100.1 <------- this connects to a 48 port switch and then on to the inside of the network.One of my servers has an internal and external NIC. Its current configuration is:
Inside NIC is 192.168.100.5 and works fine on the internal side.
The outside NIC is as follows: 192.168.13.51 ----> (router) 192.168.13.1 ----> x.x.x.133I want to put that x.x.x.133 on the T80 firebox and remove the router completely. I've tried several configs and have come close, but something still not right.
Would I add the .133 address as a secondary network on the existing external of .132?
If so, how would I route traffic from the outside NIC of the server (192.168.13.51) in/out through the x.x.x.133 external interface correctly?Appreciate any help,
Atomic in VA
Which one of the 192.168.x.x subnets corresponds to the majority of the network - the 192.168.13.x or 192.168.100.x?
If say the 192.168.100.x subnet is the primary one used internally (which it sounds like), then the server needs to have 192.168.100.1 set as its default gateway, remove the 192.168.13.x one (or at least disable it while testing) - if 192.168.13.x has to coexist for anything else, add it as a secondary address on the internal network for the time being.
Add the required subnet/s to the dynamic NAT table if you have modified it from defaults (which normally allows all RFC1918 [private] addresses).
Yes the additional x.x.x.133 address would be added as an additional IP on the external interface if that's how the ISP routes that address to the Firebox.
Re: Adding a second external IP
Best practice - dual homed devices are strongly discouraged .
Disconnect the server trusted NIC and make all traffic to/from it go via a single connection to the firewall, as a DMZ.
Set an unused firewall interface to 192.168.13.1 & connect the server external interface to that.
Set up the desired policies to allow access from the Internet to the server and to/from the server from Trusted.
Re: Adding a second external IP
You can associate 192.168.13.51 with x.x.x.133 using a 1-to-1 NAT setup.
About 1-to-1 NAT
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/one_to_one_nat_c.html
Re: Mobile IKEv2 VPN Through Hotspot with newer Samsung Mobiles
Hi @Pat
I'd suggest opening a support case so we can help gather more data. If moving to a different phone on the same carrier with the same SIM card is correcting the issue, it's very likely something on the phone causing the issue. It may be something that the phone manufacturer and/or carrier need to fix, but we can at least help provide that data.
Re: Powershell exploit
The solution to the antiexploit detection to the Defender file has already been deployed.
They should stop giving this message as soon as they get the update.
Sorry for the inconvenience.
Re: SD-WAN policy
Hi @XYLITOL
We'd need to see your policy set and the log line to help with this. Please consider opening a support case via the support center link at the top right of this page so you can share that information securely.
Re: SD-WAN policy
The reason is that policy 2 specifies a specific WAN interface and not Any-external.
Unexpected routing results with Multi-WAN and the use of specific WAN interfaces in the To: field of a policy instead of using Any-external.
Re: SD-WAN policy
FYI - this info is in a prior post, here:
https://community.watchguard.com/watchguard-community/discussion/4080/policy-set-up
Re: policy set up
As I said in an earlier post - you need to specify Any-external instead of a specific WAN interface on an outgoing policy when using Multi-WAN. Otherwise unexpected routing occurs, such as you are seeing.
On policy 2, replace "To:Any-Untrusted,Untrust" with "To:Any-external" and review the results.