has anybody an idea of what could cause the following behaviour:

When doing a Nessus-Scan from VLAN A to VLAN B after some time (Whether existing or non-existent IP addresses are scanned, regardless of the throttling applied) the whole TCP/UDP communication in ALL VLANs (also those not affected by the scan) go down. BUT: as soon as the scan is stopped it all comes back and is fine again AND the whole time , even when TCP/UPD is "down" as described, pinging (ICMP) is OK.

Has anybody an idea on what that could be ? It must be the Watchguard, as only it has all routes to all networks.

Many thanks and kind regards,

Markus

I was looking how a firebox could inject "classic" IPSec routes into OSPF, so that the rest of our network could use the routes, rather than having to declare them as static routes on internal routers behind the firebox. This is easy for BOVPN virtual interfaces, but appears not to be a supported option for "classic" VPNs, as the remote end of the VPN isn't seen as a connected network for inclusion in the OSPF calculations.

The Status Report section of System Manager shows the network at the far end of the VPN in the "Run-time IPSec Routes" section, with the "Out Interface" being the physical interface of the external connection.

Static routes on the firebox can be injected into the OSPF table using the "redistribute static" command in the OSPF configuration.

On the firebox, I configured a static route to the far end of the VPN via the default gateway of the external interface. This did not affect the routing down the VPN within the firebox, and the traffic for the remote end of the VPN continued being sent down the IPSec tunnel.

The result is a static route to the VPN destination that can be injected into OSPF which doesn't affect how the Firebox handles the VPN traffic. (I used a route map to control which static routes get redistributed, but this isn't necessary if all your static routes should be injected into OSPF.)

The internal routers now see the "classic" VPN destinations in the OSPF tables and there is no longer the need to configure the static routes within the internal network. The route seen in OSPF isn't via the external default gateway, but via the firebox itself. (The routes you see on the routers connected to the firebox will show via the firebox, and for the routers behind the routers connected to the firebox, you will see the route via the connected router, etc.)

How useful this is depends on your network, but for ours, this ability to have the routes in the OSPF tables has been extremely helpful.

Hopefully this info will be useful for someone else.

James

Sorry if this topic has already been discussed, but I haven't been able to find the answer to my question.

In an infrastructure with Active Directory (DNS) servers in the cloud connected via IPsec VPN to WatchGuard appliances at branch offices where there are only Windows PCs, what are WatchGuard engineers’ recommendations regarding the DNS provided to the PCs? I’ve heard that Windows does not recommend public DNS servers like 8.8.8.8, even as a secondary DNS server?

Thank you,

I setup a Pantech UML295 USB modem on WatchGuard Firebox T15 for Internet redundancy many years ago, and I am trying to troubleshoot it now remotely, because the users were not able to connect to Internet when the main Internet connection went down.

So, I use Network tab of Diagnostics page in WebUI to

ping -I eth0 8.8.8.8
and I get
PING 8.8.8.8 (8.8.8.8) from "IP address" eth0: 56(84) bytes of data...

and when I do
ping -I modem0 8.8.8.8
I get
PING 8.8.8.8 (8.8.8.8) from "IP address" modem0: 56(84) bytes of data...

and I get replies both times, but I am confused seeing the same "from IP address" of the main Internet connection of interface eth0, when I am actually trying to ping using modem0 interface.

I suppose this is probably normal behavior, just want to confirm.

Aslo, the USB modem has Red light on it. Can someone remind me if this is because it is just a backup connection and does not pass the traffic when the main connection is up?

Thanks.

I did some searching for Watchgaurd specific configuration on BOGON filtering but didn't find any discussions or notes in the Watchguard documentation. I did see configuration for other firewall vendors to achieve this.

I thought about using blocked sites and block site exception to achieve this. I first added network addresses for all of my internal networks to Blocked Site Exceptions. When I went to add 10.0.0.0/8 to blocked sites, I received an error message that I would have to create exceptions for each internal firebox interface within that range. That's going to be a lot of work for multiple sites with multiple VLANs per site. I was surprised that my blocked site exception of 10.X.0.0/16 wouldn't have already covered the firebox's internal interfaces.

Maybe all this doesn't matter and I'm being paranoid. For anyone interested, here is the reddit thread that got me thinking about this.

https://reddit.com/r/sysadmin/comments/1r87rcr/what_is_everyones_traceroute_for_192168200101/

background
i have a firebox without trusted interface , it is used for bovpn and muvpn only.
works as a vpn concentrator.
Radius traffic is intented to go through bovpn tunnel. it is send through the tunnel but sender adress is the public ip.

Deny xxx.x58.14.151 192.168.7.222 radius/udp 58277 1812 BovpnVif.V Firebox ip spoofing sites 110 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="110" rcvd_bytes="0" Traffic

adding a loopback would be the easyest without changes to the bovpn tunnels

Untagged VLAN fails when VLAN 1 is tagged on the same interface
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000EdzBKAS&lang=en_US

This bug bit me in the butt converting from a T20w to a T125w.
VLAN1 was defined as tagged on 1 interface and as untagged on a 2nd interface.
On the T125W, the untagged interface connection did not work - no DHCP address was provided.
Worked fine on the T20 for V12.11.6 and earlier.
T125W has the issue running 2025-1-1, 2025-1-4 & 2026-1-1

I'm trying to restrict traffic from my Backup server Veeam to limited internet access.

I need to allow to veeam cloud vault servers.

Anyone have the full ip or FQDN list ?

I know it has to go through ports 80/443, are there any other ports needed?

Thank you!
Jean

From traffic monitor, I have the following entry showing that ping to 8.8.8.8 is denied:
2026-01-23 10:50:03 Deny 192.168.1.7 8.8.8.8 echo-request/icmp Trusted SHAW blocked sites 40 63 (Ping-00) proc_id="firewall" rc="101" msg_id="3000-0173" duration="0" sent_bytes="40" rcvd_bytes="0" type="8"

In Firewall -> firewall policies -> Ping:
(no changes, factory default policy)
Enable: checked
From: Any-Trusted, Any-Optional
To: Any

In Firewall -> blocked sites, there are no blocked sites.
In Firewall -> blocked sites exceptions, I added 8.8.8.8, still blocked.

In System status -> diagnostics, ping 8.8.8.8, result is "ping: sendmsg: Operation not permitted"
In System status -> diagnostics, ping 8.8.4.4, result is "64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=29.2 ms"

From desktop computer, ping 8.8.8.8, no response.
From desktop computer, ping 8.8.4.4, good response.

What would cause this and how do I fix?

To add to above, all traffic to 8.8.8.8 is being blocked:

2026-01-23 11:01:03 Deny 192.168.1.141 8.8.8.8 dns/udp 53457 53 Trusted SHAW blocked sites 60 127 (DNS-00) proc_id="firewall" rc="101" msg_id="3000-0173" duration="0" sent_bytes="60" rcvd_bytes="0"

2026-01-23 11:11:03 Deny 192.168.1.128 8.8.8.8 https/tcp 57947 443 Trusted SHAW blocked sites 52 127 (HTTPS-proxy-00) proc_id="firewall" rc="101" msg_id="3000-0173" tcp_info="offset 8 S 482552011 win 61690" duration="0" sent_bytes="52" rcvd_bytes="0"

i'm investigating an issue with a web app (QNAP Notesstation) based on a T85 with current firmware:

If the user are connected to the local LAN, everything works as expected an has unlimited access to the web app regardless of time. Connected to Watchguard WIFI or IKEv2 mobile VPN with the same windows client and app user accounts, all user have the same problem: After estimated 60 minutes the web app has disconnected in the background, regardless of idle time or activity.
The QNAP Support has reconstructed our issue and has discovered that there is no problem in the web app code; other tested WIFI connections were without any timeouts.

It seems that the T85 influences something like KeepAlive, Timeouts etc. for this special app if the HTTP/HTTPS traffic is routed, but I'm not sure how to resolve this issue.

Any tips or ideas?

Many thanks,
Erik

We have a fully working Watchguard Firebox M290

External - Vodaone Broadband
Tusted - 10.1.16.254

Desktop PC 10.1.16.113

Added the following:-

PTP connection set to another site

I've configured port 2 as the following:-

External
Name: "Site X to Site Y External"
IP: 194.184.180.2/30
GW: 194.184.180.1

On the Draytek router at the other end of the PTP

WAN/External
Name: "Site Y to Site X External"
IP: 194.184.180.1/30
GW: 194.184.180.2

LAN - 10.18.20.0/24
GW - 10.18.20.1

Laptop: DHCP: 10.18.20.10

I can ping from the Laptop 10.18.20.10 over the WAN/External connection to 10.1.16.113

But I cant ping the other way?

I've tried a few things in Firewall policies and static routes, but nothing seems to work. I'm missing somthing really simple, but what

After saving that configuration, if I enter a PIN to 192.168.1.1, the firewall doesn't respond.

I'm getting configuration errors, but I managed to configure it without any errors, but browsing still isn't working.

Please help.

Thank you.

Hola, tengo un nuevo WAM:
Pool de IP removed
Puerta de Enlace removed
removed IP PUBLICA

Me da errores de configuración y logré configurar sin errores pero tampoco funciona navegar.

Su ayuda por favor,

Gracias

** removed public IP addresses from post - JC

I need to route from 10.20.1.0/24 to 10.68.39.160/27
We are using 10.74.3.225 and 10.74.3.225 to route the traffic.
My main routers default route points to my firewall.

10.20.1.0 lives on my network.
10.68.39.160 lives behind a vendors firewall, on our campus.

10.74.3.226 is assigned to an optional interface on my firewall.
10.74.3.225 is assigned to an interface on the vendors firewall.

I have two routes on the firewall for this

10.74.3.226=>10.74.3.225
10.74.3.225=>10.68.39.160/27

When I ping, the vendor see traffic coming from 10.74.3.226 instead of 10.20.1.0/24

They need to see that its coming an 10.20.1.0/24 address, so they can respond accordingly.

Any ideas?

I had a theory that I could NAT loopback off the Firebox interface. So, from the server I could query the address <firebox.optional.interface.ip> and this would NAT it back to <hpe.ilo.interface.address>. To be clear, these are both in the same subnet on the same eth port on the Firebox.

So I added a policy with a SNAT to do this:

FROM: <hpe.server.address>
TO: SNAT: <any.optional> --> <hpe.ilo.interface.address>

And I just get this in the log:

Allow <hpe.server.address> <firebox,optional.interface> cmip-man/udp 53838 163 <optional.network> <external.interface> Allowed 69 127 (SNMP.loopback.to <hpe.server.ilo>-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat=<firebox.external.interface> dst_ip_nat=<hpe.ilo.interface.address> dst_port_nat="161" Traffic

So, it's kind of working but I think it it doing the NAT using the firebox external interface IP which is not going to work.

Have I just got something a bit wrong on the SNAT or am I asking the impossible?

Thanks!

Is it somehow possible to "hide" a vlan from another vlan?
Example vlan17 should not even know about vlan13.
I know I can block access ofcourse but I want to "hide" it completely.

And yes, both vlans do exist in same firebox...

/Martin

Firebox M5800
Firmware v12.11.3

kind regards,
vanessa

The description above will seem like there is a simple solution but there is a more complex situation in progress.

The WG unit we are discussing here is new. The config has been brought from a M370 unit. As part of a project to deploy this new WG, the client is has got a new WAN solution which uses BGP. The new WAN solution has two circuits which are now configured on separate External interfaces of this WG and BGP has been configured and working (with a test advertised prefix).

We will be migrating the customers IP ranges to this new solution and therefore the public IP(s) that are currently in use will no longer be configured on an external interface but rather advertised via BGP. This poses some questions I would like help with:

1. The customer prefixes that are now to be advertised; should these IPs now be configured as secondary IPs on the External interfaces now participating in BGP? I had thought this would be the case but it turns out that an IP can only exist on 1 external interface at a time.

Here is a snaitized version of the topology:

Our organization relies on UDP for lots of SRT-based remote desktop access (not RDP), 4K video streaming, and IBM FASP UDP-based file transfers.

Last week, we had an internet outage, caused by losing DNS. After analyzing our Firebox logs with Watchguard's help, it turned out that a video streaming test we ran, triggered the UDP flood protection.

This has me looking at this feature, of course. What actually confuses me is… For file transfers alone, we routinely upload/download 350Mb/s, if not multiples of that. At 1500 MTU, that's 30,000 packets per second. And we've been running those smoothly for years, on the Firebox, with Default Packet Handling at 1K packets/sec enabled.

Similarly, while troubleshooting the DNS drop I rebooted our Firebox, and now the same video streaming test went fine. We upped it to 8x30Mbps UDP streams (20K packets/sec) while the CDN provider monitored the data streams, and all was well.

The math doesn't add up: How come this flood protection doesn't trigger all the time??

Does traffic monitor only show live view?

Remote Loc User > DHCP Provided by local server > L2 HP Switch > Cisco Meraki E2 > Telecom provider Fiber > Cisco Meraki E2 > Firebox E3 VLAN > Firebox E1 > Internet

IP addressing looks like this

192.168.2.34 > 192.168.2.5 > 192.168.2.2 > fiber A > fiber B > 192.168.2.1 > 192.168.1.1 > Internet.

What I need to make this look like is:

192.168.2.34 > 192.168.2.1 >Internet

or

Wired Vlan1
Wireless Vlan2 > Cloud Gateway > CG WAN port > Internet

In reading on the ubiquity site they state that I am seeing a double NAT issue and need to create a bridge on the firewall for Port E3 on Firebox to appear as a direct connect to Internet to avoid double NAT.

Any ideas?

External interface

Trusted interface

Front Panel info

This config should allow clients to configure a IPv6 address via SLAAC but it's not working. No clients are getting an IPv6 address on the 2600:1700:47d1:163f::/64 network. A packet trace shows that Router Advertisement packets are being sent from the Firebox.

However I notice that there is no Prefix Information included. Should that be there in this case?

Here's a screenshot from an unrelated blog post showing a RA packet that includes prefix information.

If that should be in the RA packet sent from the Firebox, why would it be missing?

OBJECTIVE:
===========.
Need external access to internal resources. Such as, email, helpdesk, core apps.

CONFIG SCENARIO:
==================.
FIREWALL: internal port is configured as dedicated internet VLAN and paired with the layer 3 switch as same.
- No other VLANs on firewall,
- no other ports connected to internet.
- Firewall has several static routes to each vlan subnet on the switch over the dedicated internet vlan. These are pingable from the firewall PING tool.

SWITCH:
- default port (of last resort) points to the vlan port on firewall.
- all vlans have interfaces with default routes pointing to the internet vlan IP on the switch.

All outbound traffic on any vlan can access the internet.

ISSUE: Prior to using VLANs, all external resources that were published were working. Now, not a single internal resource is working when attempting to access externally.

Thinking it is a basic config that I have overlooked. (Am I allowed to publish resources through the vlan interface on the firewall?)

Hoping someone can point out my error.

Cheers