Route entry does not seem to work

kcarpenterkcarpenter
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

I am trying to access another network from a BOVPN. But when doing a trace it just goes out the Wan Interface on my Main Firewall. I have another Firewall at the Home Office and I am trying to route packets to it. Its like the BOVPN does not use the routes on the Office Firewall. So Site A sends a packet to this other Network. It goes over the BOVPN to the Main Firewall. From there I want to go to the other Firewall thats on the same Lan as the Main Firewall. But instead goes out the Wan interface. I believe it has to do with how the BOVPN is setup in the Policies. Site A can ping the Firewall I am trying to route to.

Comments

  • Bruce_BriggsBruce_Briggs
    edited October 2022

    A virtual BOVPN works with routes.
    A standard BOVPN works with settings on the Tunnel setup.
    For a standard BOVPN, you need to have entries for all subnets that you want to reach at the other end of the BOPVN on the Tunnel setup. The other end need matching entries.

    If you have a daisy chain of firewalls, the BOVPN Tunnel settings at each of the locations needs to have all of the subnets involved that need to go via the BOVPN connections.

  • kcarpenterkcarpenter

    Not sure what virtual bovpn is.
    On the tunnel setup at Site A its configured as follows
    Local Network - Bi-directional - Any IPV4
    Wouldn't that cover it? Basically the VPN is setup to send all traffic over the tunnel. The Main Firewall then receives it and just sends it out the Wan.
    The tunnel policy was created automatically so I can't change it.
    Are you suggesting creating a Custom BOVPN Policy?

  • Bruce_BriggsBruce_Briggs

    Does the Network Route that is on the Main Firewall point to the other firewall's external interface IP addr in the Gateway addr field ?
    Does the Network Route have the subnet behind that firewall in the Network Route in the Route To field ?

  • kcarpenterkcarpenter

    Here is a rough Diagram. There are reasons why I am using the Sonicwall for the VPN instead of the Main Firewall to make the connection to the 3rd Party Firewall. VPN is up. Configured Workstation to use x.x.210.10 as GW and its able to ping 25.25.61.130 for testing to verify VPN is working.

  • Bruce_BriggsBruce_Briggs

    Just to verify - x.x.210.90 with a gateway of x.x.210.02, a ping/tracert to 25.25.61.130 goes out to the Internet, correct?

    I can't think of any reason that the Network Route is not working, other than a typo.

    You can review the Routes on the firewall in Firebox System Manager -> Status Report, or in the Web UI -> System Status -> Routes

    For the record, what firewall model is Main Firewall, and what Fireware version is it running?

  • kcarpenterkcarpenter

    I can't say about the 210.90 going straight out to the internet. I want to say no on that. Before using a VPN to the 3rd Party Firewall we were using a T1. It had an address of x.x.210.9 and it worked for everyone. I had a route in the Main Firewall to use that as the gateway for the 25.25.61.130. And everything was working. T1 went down so I tried switching to VPN. Changed the route on the Firewall but it still wouldn't work. Maybe the problem is on the Sonicwall. Although I can ping the Sonicwall from x.x.222.10. Just not sure why routing is not working for the .130 server.
    Main Firewall is a M370 and the Site A is a T70. All updated to latest.
    Thanks for your help by the way.

  • Bruce_BriggsBruce_Briggs

    Do have a test made from x.x.210.90 or something on the x.x.210.xx subnet the with a gateway of x.x.210.02 to 25.25.61.130 to see where it goes - out to the Internet or to the Sonicwall.
    If it goes to the SonicWall, then the Network Route is working on Main Firewall.
    If not, then it isn't.

    If the Network Route is working, my only other thought is that somehow the SonicWall is redirecting the packets from x.x.222.10 to the Internet.
    To verify this, you can do packet captures on the Main Firewall using TCPdump.
    Using the Advanced settings you can specify an IP addr to capture and the interface.
    For Firebox System Manager:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
    You can also do this from the Web UI.
    Examples on TCPdump paramters, here:
    https://danielmiessler.com/study/tcpdump/

  • Bruce_BriggsBruce_Briggs

    In your diagram, you have 2 devices shown as "Workstation".

    In this statement - "Configured Workstation to use x.x.210.10 as GW and its able to ping 25.25.61.130 for testing to verify VPN is working.", which device is this? x.x.222.10?
    If x.x.222.10, then clearly the Sonicwall is not redirecting the packets from x.x.222.10 to the Internet.
    Which suggests an issue with the Network Route.

  • kcarpenterkcarpenter

    New Testing.
    I can confirm that x.x.210.90 is sending the pings to the Sonicwall Firewall and they are working.

    x.x.222.10 sends it through the Wan on my Main Firewall. It does not get routed over to the Sonicwall. But its able to ping the Sonicwall just fine.

    Any machine on the x.x.210.x network is able to ping .130. So routing is working locally but not for any of the BOVPN. Seems like routing is ignored.

  • Bruce_BriggsBruce_Briggs

    Time for a support case on this

  • kcarpenterkcarpenter

    I think so

Sign In to comment.