Local VLAN Natting Question

Hello,

So we have two internet carriers with BGP. We have a WG HA Cluster which is handling our BGP.

We recently consolidated our networking by removing our internal router (which was behind the WG) and we created a new VLAN in the WG and turned on DHCP so now the WG is handling our internal LAN for all of our computers and so forth.

The issue we ran into was that because BGP is in Routing Table mode, every so often the computers would freeze and reconnect to the internet (presumably because the IP was changing).

So what we ended up doing was applying SD-WAN policies so that traffic is going out one carrier with gradual failback if needed.

Is this the way this is supposed to work? It seems we are limiting ourselves here. What if we wanted to try and balance the load between the two carriers on this internal LAN? With our previous setup, we had a router which was natting of course so this was not an issue as the IP of the router was one of our Class C's.

Thanks!

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Using BGP shouldn't really be causing any problems here. Under most circumstances, the firewall is going to send traffic to the default gateway of the ISP which will handle traffic. In some multi-wan environments, this can change what path is used if routing table is chosen in multi-wan.

    If you're looking for a more stable experience, I'd suggest using failover mode. If you need to load balance, you can use an sd-wan action in some specific policies in order to send traffic for those policies out another interface.

    -James Carson
    WatchGuard Customer Support

  • @james.carson ... Right now my experience is not stable. I am dropping RDP Connections to my internal servers (that are just on my lan). It's almost as if my PC is hopping from one ISP to the next.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @travis_tmb I'd suggest opening a support case -- this is likely going to require getting into the dynamic routing logs for your system and that would be the best place to share those.

    -James Carson
    WatchGuard Customer Support

  • @james.carson .... So if we have a VLAN that is routing all of our internal LAN PC's, but we have two fiber connections, should all the traffic be routing over one circuit out or should it be NATTed to an IP or the gateway ip address of our Class C?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb
    If you are in routing table mode, the firewall will do whatever routing/dynamic routing tells it to do. If you're in Failover, load balance, or round robin mode, it'll do what those methods tell it to do.

    The firewall will follow whatever is in its NAT rules (In Network -> NAT) and the NAT options in each policy (which are usually set to follow firewall NAT rules.)

    -James Carson
    WatchGuard Customer Support

  • @james.carson ... The only problem we are having right now is roughly once per day ... our desktops freeze (internet wise) for just a couple of seconds and then reconnect.

    Any idea what could be causing this?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @travis_tmb
    There's a lot of things that could be causing that type of behavior.
    -DHCP release/renewal.
    -GARP on external (Gratuitous ARP) that isn't being responded to quickly enough.
    -Route change
    -Link monitor not getting a ping response 3 times in a row causing the interface to be marked as down.

    I'm taking shots in the dark and guessing based off the info I have. I'd strongly suggest opening a case so that one of our team can look through your logs and determine what the issue actually is. If you can grab a support file from the firewall when the issue is happening (or shortly after) it'd likely help get all the logs you need in one place.

    Support file is in
    WebUI: System Status -> Diagnostics, click to download a support log file.
    Firebox System manager: Go to the status report tab, click support, then retrieve.

    -James Carson
    WatchGuard Customer Support

  • Got it. Thanks James!

  • edited February 2023

    @james.carson ... I am suspecting that ipv6 may be the cause here. We had ipv6 issues with one of our servers a few years ago when we put our first WG in place.

    I disabled ipv6 on my computer and I am not having any issues now. What do you think? Is there a way to disable ipv6 on the WG?

    Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @travis_tmb
    the firewall should be able to handle any IPv6 traffic from a routing perspective.

    You can see the article here about what is and isn't supported via IPv6.
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/ipv6_supported_features.html

    if IPv6 is turned off for all interfaces (internal and external) the firewall should just drop any IPv6 traffic. This won't prevent the client from attempting to send IPv6 traffic, however. Under most circumstances it'll time out and retry again (potentially using a different or IPv4 address.)

    -James Carson
    WatchGuard Customer Support

  • @james.carson ... Okay thank you. Well we disabled ipv6 on our computers per our MSP recommendation and our problems have gone away it seems. However, a few computers that were having trouble are no longer it seems. I'll keep you posted.

Sign In to comment.