Route traffic from particular private network through second Firebox

Hello, I have two Fireboxes, in two offices. I created BOVPN tunnels and can access private networks on both sides. Now I need to route all traffic that suppose to go to External at Firebox A from network to be routed through Firebox B network to External on Firebox B. How should I do it? Thank you!


  • james.carsonjames.carson Moderator, WatchGuard Representative

    You'll need to default route/zero route the BOVPN for that network in the BOVPN tunnel settings.


    -James Carson
    WatchGuard Customer Support

  • When I tried it I lost an ability to log in via VPN IKEAv2 at Firebox A
  • Did you set up the default route BOVPN settings for just ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Leonid
    Are you seeing any errors on the firebox system manager front panel, or in the VPN diagnostics? If the VPN was previously working, there's likely a route mismatch.

    My best guess is that the route was not changed on the distant side.
    If you make the route <-->
    you need to make it the inverse on the other firewall, like: <-->
    for example.

    -James Carson
    WatchGuard Customer Support

  • Thank you all very much, I was able to create a correct tunnel<> I can now see traffic going through remote Firebox.
    This presents me 2 problems:
    1. Regardless I can see ping to allowed at remote firebox it doesn't come back .
    2. If I log in through VPN IVEv2 to local firebox and try to ping any address in network I'm getting disconnected immediately. This doesn't happen when I log in via L2tP. Also I can see nothing in logs except "User ... login , User ... logout
    All this happens only when the tunnel is active

    any ideas will be highly appreciated!

  • For the IVEv2 VPN client connection - Fireware routing seems to be different for IKEv2 than for other VPN clients.
    The reason that I say this is that if one creates a policy to allow internal devices to access an IKEv2 VPN client, one needs to disable Dynamic NAT on that policy, whereas one doe snot need to do this for other VPN client types.
    Consider opening a support case for this one.

    For the Google ping issue - verify that you have a Dynamic NAT entry which includes on firewall B, such as the default one of
    Does all other Internet access work OK from except for these pings?

  • Thank you, Bruce, Nat tule to External did the trick. As for IKEv2 VPN client - disabling NAT in FW rule changed nothing, I am going with support on this one.

  • Do note that there are very few reasons to delete or modify the 3 default Dynamic NAT entries, which are for the 3 private IP addr subnets.

    Doing so ends up with problems such as you found, and can often be difficult to identify the cause.

Sign In to comment.