Azure Expressroute BGP configuration
Azure Expressroute requires the use of two networks and BGP for the setup.
The two networks are /30 network so lets assume we use 192.168.255.0/30 and 192.168.255.4/30. This would mean that your internal interfaces will have IPs 192.168.255.1 and 192.168.255.5 while the Microsoft side will have 126.96.36.199 and 192.168.255.6.
Lets assume that you want to advertise the following networks for your office network 192.168.0.0/24 and 192.168.1.0/24. Lets assume that the networks that are in Azure are 192.168.100.0/24 and 192.168.101.0/24.
The BGP setup on the WatchGuard will then look like:
router bgp PrivateBPGNumber
bgp router-id 192.168.255.1
bgp router-id 192.168.255.5
neighbor 192.168.255.2 remote-as 12076
neighbor 192.168.255.6 remote-as 12076
neighbor 192.168.255.2 password ThePassword
neighbor 192.168.255.6 password ThePassword
Firewall rules are setup to allow all traffic to and from the local networks to the Azure networks.
The problem that then occurs is that the WatchGuard sees both networks 192.168.100.0/24 and 192.168.101.0/24 on both interfaces and then starts blocking traffic on one of the interfaces as spoofed.
What is missing from the setup?