Remove VPN tunnel based on condition


I have 2 external interfaces. One is fibre with static IP, the other is Starlink with cg-nat. From this firewall I have few default routes for few subnets via branch office vpn. Starlink is a backup and I would like to use it when fibre is unavailable.

I have 1 issue and 1 question.

How can I remove default routes when Starlink is in use? If I don't remove them manually then all subnets with default gateway via vpn loose Internet unless I manually remove them. Can this be automated?

Watchguards backup interface seems to be relying on physical interface state rather than actual Internet connectivity check. Meaning that some has to pull out the cable from fibre Internet interface for Starlink to kick in. Is there anything that can be done to better automate this backup interface option?


  • Options

    re. Issue - set up Link Monitor

    Configure Link Monitor
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/link monitor/link_monitor_configure.html

    re. Question - is or can the BOVPN be setup over Starlink too ?
    One can have a BOVPN set up with multiple WAN interfaces

  • Options
    Thanks Bruce, I will research on Link Monitor looks promising.

    Re Starlink. They won't provide static ip so in
    My config it's not possible to implement bovpn via
    Starlink. Which is why I would like tunnels to be removed
    So that normal Internet is restored on vpn'd subnets.
  • Options

    Have you considered using DYNDNS for your Starlink WAN interface?
    Then you can use a DNS name for the BOVPN connection over the Starlink.
    You can have an internal DYNDNS client to identify the public IP addr being used and to do the updates to the DYNDNS site.

  • Options

    Hummm... after some research, it seems that DYNDNS will not help with Starlink.

  • Options

    You can use the CLI to add or remove static routes.
    Presumably this could be scripted.

    Pages 153-154 of the CLI Reference Guide
    configure ip route (destination) (fwdaddr) [metric metricvalue] - to add a static route
    configure no ip route (destination) - to remove a static route

    also: show ip route static - to see static routes

  • Options

    Branch office routes won't show under standard static routes. Could you advise how to go about it ? There has to be a way to go back to not vpn'd internet... otherwise each time tunel fails people loose internet, sounds like a design problem...

  • Options

    Intrestingly, under VPN/Global settings I just found this

    Remove VPN routes when the tunnel for a BOVPN virtual interface is down

    I will give that a test.

Sign In to comment.