Remove VPN tunnel based on condition

Hi,

I have 2 external interfaces. One is fibre with static IP, the other is Starlink with cg-nat. From this firewall I have few default routes for few subnets via branch office vpn. Starlink is a backup and I would like to use it when fibre is unavailable.

I have 1 issue and 1 question.

Question
How can I remove default routes when Starlink is in use? If I don't remove them manually then all subnets with default gateway via vpn loose Internet unless I manually remove them. Can this be automated?

Issue
Watchguards backup interface seems to be relying on physical interface state rather than actual Internet connectivity check. Meaning that some has to pull out the cable from fibre Internet interface for Starlink to kick in. Is there anything that can be done to better automate this backup interface option?

Comments

  • re. Issue - set up Link Monitor

    Configure Link Monitor
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/link monitor/link_monitor_configure.html

    re. Question - is or can the BOVPN be setup over Starlink too ?
    One can have a BOVPN set up with multiple WAN interfaces

  • Thanks Bruce, I will research on Link Monitor looks promising.

    Re Starlink. They won't provide static ip so in
    My config it's not possible to implement bovpn via
    Starlink. Which is why I would like tunnels to be removed
    So that normal Internet is restored on vpn'd subnets.
  • Have you considered using DYNDNS for your Starlink WAN interface?
    Then you can use a DNS name for the BOVPN connection over the Starlink.
    You can have an internal DYNDNS client to identify the public IP addr being used and to do the updates to the DYNDNS site.

  • Hummm... after some research, it seems that DYNDNS will not help with Starlink.
    Bummer

  • You can use the CLI to add or remove static routes.
    Presumably this could be scripted.

    Pages 153-154 of the CLI Reference Guide
    configure ip route (destination) (fwdaddr) [metric metricvalue] - to add a static route
    configure no ip route (destination) - to remove a static route

    also: show ip route static - to see static routes

  • Branch office routes won't show under standard static routes. Could you advise how to go about it ? There has to be a way to go back to not vpn'd internet... otherwise each time tunel fails people loose internet, sounds like a design problem...

  • Intrestingly, under VPN/Global settings I just found this

    Remove VPN routes when the tunnel for a BOVPN virtual interface is down

    I will give that a test.

Sign In to comment.