Options
Traffic from Specific Trusted LAN to go to Specific External Interface
Hi Folks,
I feel like I must be missing something. The FireBox allows all sorts of fancy routing... failover and such. But what I want is very simple.
We've had a FireBox setup for years... everything works great. We love it.
I want to add a second External interface (different ISP to the first, original, interface), and an additional Trusted interface. I want all traffic from this new additional Trusted Interface to go out (and return) via the second External interface. I want to block any incoming connection requests coming in from that second External interface.
I want everything else (my other Trusted interfaces) to use the first (original) External interface.
Can somebody please guide me in the right way to make this happen?
0
Sign In to comment.
Comments
You can use SD-WAN to do this.
You define SD-WAN actions to for example use a specific WAN interface.
You set up policies and select the desired SD-WAN action on them.
About SD-WAN
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/sd-wan/sd_wan_routing_about.html
Thanks for your reply.
I've read that page multiple times. And THIS is precisely what has me confused: I don't want or need my External interfaces monitored, and I don't want a "failover" action. And I don't want traffic balanced round robin across the External interfaces.
I want traffic from Trusted Interface X to go to External Interface Y. And new incoming connection requests from External Interface Y to be dropped.
SD-WAN can be set up to do many things, but it can be used to send traffic from a specific policy out a specific WAN interface.
SD-WAN is normally only for outgoing traffic. Unexpected things can happen if it is enabled on incoming policies.
"new incoming connection requests from External Interface Y to be dropped" are not configured using SD-WAN. Normal incoming policies control what is allowed in, and from what WAN interface.
Again, thanks.
My issue is simply HOW do I do it? If I "Add an SD WAN action" I have choices of either Failover or Round Robin. I simply want to specify a specific Interface. Like I'd do in PBR, right?
It is possible that I am exceptionally ignorant, but I do not see how one accomplishes this.
What do you want to happen IF your selected WAN interface is down?
All outgoing traffic to FAIL?
You can create a SD-WAN action which only includes 1 WAN interface. For this case there is nothing to fail over to or round robin with.
If you select a 2nd WAN interface, then you do have something to fail over to or round robin with.
Yes. That'll be fine, thanks.
Ah! I see... Let me give that a try...
Again, thank you.