Options
Remove VPN tunnel based on condition
Hi,
I have 2 external interfaces. One is fibre with static IP, the other is Starlink with cg-nat. From this firewall I have few default routes for few subnets via branch office vpn. Starlink is a backup and I would like to use it when fibre is unavailable.
I have 1 issue and 1 question.
Question
How can I remove default routes when Starlink is in use? If I don't remove them manually then all subnets with default gateway via vpn loose Internet unless I manually remove them. Can this be automated?
Issue
Watchguards backup interface seems to be relying on physical interface state rather than actual Internet connectivity check. Meaning that some has to pull out the cable from fibre Internet interface for Starlink to kick in. Is there anything that can be done to better automate this backup interface option?
I have 2 external interfaces. One is fibre with static IP, the other is Starlink with cg-nat. From this firewall I have few default routes for few subnets via branch office vpn. Starlink is a backup and I would like to use it when fibre is unavailable.
I have 1 issue and 1 question.
Question
How can I remove default routes when Starlink is in use? If I don't remove them manually then all subnets with default gateway via vpn loose Internet unless I manually remove them. Can this be automated?
Issue
Watchguards backup interface seems to be relying on physical interface state rather than actual Internet connectivity check. Meaning that some has to pull out the cable from fibre Internet interface for Starlink to kick in. Is there anything that can be done to better automate this backup interface option?
0
Sign In to comment.
Comments
re. Issue - set up Link Monitor
Configure Link Monitor
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/link monitor/link_monitor_configure.html
re. Question - is or can the BOVPN be setup over Starlink too ?
One can have a BOVPN set up with multiple WAN interfaces
Re Starlink. They won't provide static ip so in
My config it's not possible to implement bovpn via
Starlink. Which is why I would like tunnels to be removed
So that normal Internet is restored on vpn'd subnets.
Have you considered using DYNDNS for your Starlink WAN interface?
Then you can use a DNS name for the BOVPN connection over the Starlink.
You can have an internal DYNDNS client to identify the public IP addr being used and to do the updates to the DYNDNS site.
Hummm... after some research, it seems that DYNDNS will not help with Starlink.
Bummer
You can use the CLI to add or remove static routes.
Presumably this could be scripted.
Pages 153-154 of the CLI Reference Guide
configure ip route (destination) (fwdaddr) [metric metricvalue] - to add a static route
configure no ip route (destination) - to remove a static route
also: show ip route static - to see static routes
Branch office routes won't show under standard static routes. Could you advise how to go about it ? There has to be a way to go back to not vpn'd internet... otherwise each time tunel fails people loose internet, sounds like a design problem...
Intrestingly, under VPN/Global settings I just found this
Remove VPN routes when the tunnel for a BOVPN virtual interface is down
I will give that a test.