BOVPN and SD Wan using wrong interface
I have 2 Wan connections. I setup 2 SD Wan's using only 1 interface each. One called Wireless and One called Fiber. On the local I have a policy that allows anything for testing. I have configured the policy to use the Fiber SD Wan settings. I have 2 Synology boxes. One on the Local Lan and one at another office connected by VPN. Both are put in the Allow Anything Policy. The Synology at the Site is unable to contact Synology in order to download an update. The one that is locally has no problems. Looking at the Traffic Monitor I can see the one at the site using the Allow Anything Policy but using the wireless interface for its src Nat. The local Synology uses the Fiber src for Nat. I can't understand why. The BOVPN.Allow in is not set for SD Wan and setting it to use the Fiber for SD Wan has no effect. I added a users desktop to the policy and he too can't connect to anything on the internet. If I change the policy to use the Wireless SD Wan or choose none it works fine. I also noticed when setting this policy to use the Fiber I get syn checking failed errors. Which I believe means you have packets going out one interface and then coming back on another.
Comments
Hi @kcarpenter
Is the set source IP box set in the policy to something, or to just use global NAT settings? If it's set to something specific there, that will override SD-WAN.
I'd suggest opening a support case with either a support file or support access to your firewall, and a copy/paste of that log somewhere in the case. One of our reps can look into it with you. Without seeing the log and config, it's difficult to suggest where to look.
-James Carson
WatchGuard Customer Support
No, its not set. Won't even let me set it.
@kcarpenter
It'll be best to create a support case so that one of our reps can look at the config, then. It's very likely a setting that I'm overlooking while thinking about how this might be set up.
If you've already created a case, if you can please reply with the case number -- I can make sure it's landed with the correct team to help.
-James Carson
WatchGuard Customer Support