Enable WOL in VPN SSL

Hi, Neophyte question,
In my office we use a WatchGuard M370 firewall. We have set up an SSL VPN and everything works except one thing, the wake-on-lan of the machines in the office from the remote computers connect in the VPN.
For example, right now I am connected with my notebook in VPN from home and I am trying to turn on my PC in the office, but if I send the command WOL, nothing happens.
(Obviously the PC in the office is configured to turn on with the wake-on-lan, if with my notebook I physically connect to the office network I can turn on the PC)

I think that as the WOL is a broadcast packet it is blocked by the firewall, I can ask you to help me create a rule to allow this packet. I think it's pretty simple, but I'm very new to firewalls.

Thank id advance.


  • Options

    Why not connect to a system that is on the same subnet (via RDP) and wake up your system from there? I suppose you could create a policy for whatever port is needed from (192.168.113.x/24????) to your iLO...in my experience, I find another way in to just be easier.

  • Options

    You can't create a policy to allow broadcast packet across firewall interfaces.
    Also, there is no WOL Directed Broadcast function in Fireware.
    So you need a different solution, perhaps this:

  • Options
    Yeah WOL is a type of broadcast and broadcasts (on the WG at least) is restricted to subnet (which is by design since subnet routers are supposed to control each network like it is a separate “broadcast domain”
  • Options

    @Bruce_Briggs Thanks for the reply, I have read the link you sent me, but I stop when I get to this point:
    _Enable WoL through a Public IP

    Before you enable WOL through a public IP, ensure the following requirements are met:
    Network Firewall (if any) should be configured to allow any UDP packet that is received for this Public IP and Port number._

    This operation on the firewall is my question.

  • Options

    For a VPN connection, you will not be accessing a public IP addr.
    Verify your VPN policy on the firewall - that it will allow whatever UDP port is used or set up for this product.

  • Options

    I have a terrible I idea...one could bridge SSLVPN traffic............

  • Options

    Guys, as I said at the beginning of the post, I'm not very knowledgeable on these things.
    @Bruce_Briggs @TestingTester I have tried to understand and do what you are talking about, but I probably don't have the skills, I would need some more practical help (enable this in this menu ...; add this on this page ..., ... instructions for beginners, things like that)

    Thanks in advance.

  • Options

    Configure Networking Settings

    Select Bridge VPN Traffic to bridge SSL VPN traffic to a network you specify.


  • Options

    @federicomassimi - I did not give directions as it is in my opinion a terrible idea. The first question would be what type of interface your current LAN Subnet was on - Bridge, VLAN, Trusted, Optional, Custom....,

    In general most folks novice to WG have their network on a "Trusted" interface. So, if you were not on a Bridge you would have to change the interface...or add a new one and route them to each other (and you end up where you are at today). If you would like to try to bridge it and test to see if your WOL features come to life - I am more than happy to donate time and help you out...bad idea though.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    I'm a bit confused on what WOL would accomplish via an SSLVPN, as in order for the PC to respond, it would have to be powered up and connected to the VPN -- which defeats the purpose of WOL.

    Even on a 'bridge' via SSLVPN, broadcast traffic will not pass as it still needs to traverse the gateway (the firewall) in order to get there.

    If you can explain a bit more about what exactly you're trying to accomplish we might be able to help find a way to do that for you -- but if you're just looking to use WOL via the SSLVPN, it will not work.

    -James Carson
    WatchGuard Customer Support

  • Options

    @James Carson

    Am I correct in thinking that for Network Bridge members and for a VLAN bridged across two interfaces, that broadcast packets would cross logical interfaces to the other sides(s)?
    If so, then why does this not also happen for SSLVPN in the Bridge setting?

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative


    For a bridge interface between two normal interfaces, this is true, but since the traffic has to be routed to the SSLVPN tunnel it still has to basically traverse a gateway. Broadcasts don't flow. It can work in some multicast scenerios, but for straight broadcast, they won't flow. This is the same reason SSLVPN has it's own DHCP settings even in bridge mode.

    In general, bridge mode on the SSLVPN is only usually helpful if someone really needs the SSLVPN to "appear" on the same subnet (we've run into software that has mind-bending licensing around what subnet it's on in the past.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.