Options

Force Trusted network to use BOVPN - Optional Network to use WAN

PsyduckPsyduck
edited May 2021 in Firebox - VPN Branch Office

We have a Satellite office running a T20 that routes all traffic to a FireboxV hosted in the cloud - all traffic routes via a static route (0.0.0.0/0). This has been fine until recently we want to add a second network to this T20 that does not go through the VPN.

What would be the best way for me to have all traffic on my trusted network run through my BOVPN and my Optional Interface, go directly via the WAN only?

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    @Psyduck

    You should be able to do this using a standard VPN (making a Branch office VPN gateway/tunnel pair.)

    Let's say that your T20 has
    1st network 192.168.10.0/24 (the one routed through the VPN.)
    2nd network 192.168.20.0/24 (the one you don't want routed through the VPN.)
    and the Firebox V is 172.16.0.0/24

    -Create the BOVPN gateway like normal on both sides.

    -On the T20, create the BOVPN tunnels as:
    192.168.10.0/24 <-> 0.0.0.0/24
    192.168.20.0/24 <-> 172.16.0.0/24

    -On the FireboxV, create the tunnels as
    0.0.0.0/24 <-> 192.168.10.0/24
    172.16.0.0/24 <-> 192.168.20.0/24

    If you don't want the new network to be able to access those resources at all, just leave the 2nd route off on each side.

    You can read more here:
    (Define a Route for All Internet-Bound Traffic)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_default_route_c.html
    *as long as you're using addresses in the default RFC1918 private IP space, no changes to dynamic NAT should be needed.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.