Traffic from Specific Trusted LAN to go to Specific External Interface

petergv@osr.competergv@osr.com
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi Folks,

I feel like I must be missing something. The FireBox allows all sorts of fancy routing... failover and such. But what I want is very simple.

We've had a FireBox setup for years... everything works great. We love it.

I want to add a second External interface (different ISP to the first, original, interface), and an additional Trusted interface. I want all traffic from this new additional Trusted Interface to go out (and return) via the second External interface. I want to block any incoming connection requests coming in from that second External interface.

I want everything else (my other Trusted interfaces) to use the first (original) External interface.

Can somebody please guide me in the right way to make this happen?

Comments

  • Bruce_BriggsBruce_Briggs

    You can use SD-WAN to do this.

    You define SD-WAN actions to for example use a specific WAN interface.
    You set up policies and select the desired SD-WAN action on them.

    About SD-WAN
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/sd-wan/sd_wan_routing_about.html

  • petergv@osr.competergv@osr.com

    Thanks for your reply.

    I've read that page multiple times. And THIS is precisely what has me confused: I don't want or need my External interfaces monitored, and I don't want a "failover" action. And I don't want traffic balanced round robin across the External interfaces.

    I want traffic from Trusted Interface X to go to External Interface Y. And new incoming connection requests from External Interface Y to be dropped.

  • Bruce_BriggsBruce_Briggs

    SD-WAN can be set up to do many things, but it can be used to send traffic from a specific policy out a specific WAN interface.

    SD-WAN is normally only for outgoing traffic. Unexpected things can happen if it is enabled on incoming policies.
    "new incoming connection requests from External Interface Y to be dropped" are not configured using SD-WAN. Normal incoming policies control what is allowed in, and from what WAN interface.

  • petergv@osr.competergv@osr.com

    Again, thanks.

    My issue is simply HOW do I do it? If I "Add an SD WAN action" I have choices of either Failover or Round Robin. I simply want to specify a specific Interface. Like I'd do in PBR, right?

    It is possible that I am exceptionally ignorant, but I do not see how one accomplishes this.

  • Bruce_BriggsBruce_Briggs

    What do you want to happen IF your selected WAN interface is down?
    All outgoing traffic to FAIL?

    You can create a SD-WAN action which only includes 1 WAN interface. For this case there is nothing to fail over to or round robin with.
    If you select a 2nd WAN interface, then you do have something to fail over to or round robin with.

  • petergv@osr.competergv@osr.com

    What do you want to happen IF your selected WAN interface is down? All outgoing traffic to FAIL?

    Yes. That'll be fine, thanks.

    You can create a SD-WAN action which only includes 1 WAN interface.

    Ah! I see... Let me give that a try...

    Again, thank you.

Sign In to comment.