Rule - Traffic from Main Office over BOVPN

We have a customer that recently got Starlink and one thing I found it because it uses CG-NAT the general port forwarding does not work. we have a time clock that need external access.

Now I do have a BOVPN setup between the Main office and the 2nd office

So what I want to do is on my main office FW is create a rule that says from ExternalIP to SNAT-timeclock Internal IP:3005 , should work correct?

I can ping the internal ip of the timeclock from my the main office so I know that the traffic is going over the vpn

Just want to make sure my logic is sound

M270 and T40w if that matters


  • Options

    That won't work directly because reply packet will go out the Starlink path instead of coming back over the BOVPN.

    To get reply packets to come back over BOVPN, you need to change the source IP addr of the incoming packet to something which will be routed back over the BOVPN from the other end.
    I recommend that you use the trusted interface IP addr as the "Set source IP" on your SNAT setup.

    Then this should work.

  • Options
    edited June 2022

    Actually that did indeed work, thanks

  • Options

    For diagnostic purposes, turn on Logging on this policy to see packets allowed by it in Traffic Monitor.

    re: 2nd question - what is currently allowed over the BOVPN at the remote site??? If it is an Any policy - then nothing.

    And for diagnostics - adding a specific policy on the remote firewall To the time clock so that you see allowed packets to the time clock in Traffic Monitor.

    What app is used to access the time clock? Can you test that from your PC?

    Without more info, such as seeing allowed packets etc., I doubt that support can be any real help at this time.

Sign In to comment.