Exclude Some IPs/Networks from a Branch Office VPN Routing All Traffic
We currently have a Branch Office VPN routing 0.0.0.0/0 across the tunnel. We want to exclude a single IP or a single network on the Internet (for example, let's say we don't want dns queries to 1.1.1.1 to go over the BOVPN but rather just out our gateway) from that VPN but continue to route all other traffic. What is the best way to achieve this?
0
Sign In to comment.
Comments
You can try adding a Network Route for this, and see if that works.
Try setting the Metric on the added route to be lower than the metric for the 0.0.0.0 route entry for the BOVPN.
That was my first thought but the WatchGuard was ignoring the route. It looks like the Branch Office VPN was configured as a Tunnel and not as an interface. The two ways of configuring are described in this KB:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_manual_about_c.html
From what I can tell if you want to use VPN traffic that follows route rules you have to configure them as virtual interfaces and then use static routes. I'm going to try that when I can schedule some downtime but if anyone has an alternate option I would love to hear it.