prod editing - help please

The problem is that monday I have to do some changes to a watchguard directly in prod, and I don't know really well how to use the webinterface, but I have to.

the scenario is:

site 1 lan -> watchguard with 2 wan -> site 1 isp MPLS ipsec to site 2 isp MPLS - firewall (that i don't have to care about) - 1 private ip site 2 to reach

I have to set up that only 1 private ip of site 1 lan can reach the specified private ip of site 2

I have also this data:

private ip of site 1

natted source ip before enter in tunnel ( this tunnel should be the ip sec, so this nat i think should carry about the isp, am i wrong ? )

real destination ip address site 2

ip address to reach in site 2 port 5656

So, I have to specify that only can reach port 5656 using the wan 2 of the watchguard of site 1

How can I do ? what are the exactly step and procedure ? Please help me :)

best regards


  • Options

    Sounds like you need to set up a Branch Office VPN (BOVPN).
    On the Gateway, you specify your local WAN to use and the other end WAN interface.
    On the Tunnel setting you specify the local & remote IP addrs/subnets for the tunnel.
    You can also specify a 1-to-1 NAT setting on the Tunnel setup.

    If you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed.
    If not, add a custom packet filter policy for TCP port 5656.

    The online docs are searchable.
    start here:
    Manual Branch Office VPN Tunnels

  • Options

    There are some BOVPN setup examples for both WSM Policy Manager and for the Web UI, here:

  • Options

    thanks for the reply, but no i don't have to set up the vpn cause the ipsec is carried about the isp with the mpls.
    i have only to specify an outgoing policy.

    If i am right, all the traffic not allowed is block, so it's enough I specify a custom packet filter policy for 5656 from the ip I would like.

    is this correct ?

    best regards

  • Options

    Correct, all the traffic not allowed is blocked, however, IF you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed out of the firewall, to anywhere.

    Use SD-WAN on the 5656 policy.

  • Options

    Explain "natted source ip" and
    Is the WAN2 external IP addr ?

  • Options

    thanks for the reply ... that's the problem also
    I have a sheet with this data from the customer, but no idea, I suppose it is the ip address of the mpls ipsec .. but not sure.

    any idea ?

    really thanks for the time

  • Options

    You need to find out what it means.
    We can't help any more without that info.

  • Options

    You can see your WAN interface IP addrs in the Web UI -> Dashboard -> Interfaces

  • Options
    edited March 2023

    yep i know it thanks.. and obviusly the wan2 has a public ip address that is not in the sheet i reported
    wan2 public ip address let's say

  • Options

    hi all, i have another question about this topic..

    if from diagnostic of firewall .. i ping a private ip of site b

    watchguard firewall
    isp mpls
    wan of site b

    the reply of that ping is allowed to get back to the firebox ?

    really thanks

  • Options
    edited April 2023

    One would expect so, assuming that something is not blocking the initial ping, or that there is not a routing issue.
    Try using tracert instead of ping.

  • Options

    yep i did it, but also with the correct route setup it stuck on the wan ip address so i suppose it is an isp problem

  • Options

    Does a tracert work from behind the firewall?

    Since you have 2 WANs, on you tracert from the firewall, you need to make sure that the tracert is going out the correct WAN interface. You can do that by using the Advanced Options and specifying the interface to use in the Arguments field

    Run Network Diagnostic Tasks in Fireware Web UI

  • Options

    under network->route i setup a rule that say all traffic with destination netmask has the gateway setup with the ip of wan 2... and works i think, but the trace stuck at the ip of the wan2..should go on the otherside but it doesnt

  • Options

    Time to contact your ISP.
    Seems that something upstream is dropping these packets.

  • Options
    edited April 2023

    thank you man :) I will keep u update

  • Options

    i do not why but to set the route i have to set

    destination subnet: the one i want
    gateway (not the ip of the wan) the router ip of the wan interface

    i assume that this routing has done by the watchguard


    maybe i am totally wrong :)

  • Options

    If you have a support contract on your firewall, you can open a support case with WatchGuard, and get help from a WG rep.

    You can open a case via the SUPPORT CENTER link at the top.

  • Options

    r u saying this cause it's a strange behavior ?

  • Options

    ok i was totally wrong
    thank you anyway

Sign In to comment.