P2P L2 link with failover on public VPN

Hello

This is my first POST in this forum.

We are having 2 WG Firewalls acting as local default GW for both sites.

Site A with several VLANs in 10.176.0.0/16
Uplink interface vlan 10.0.0.1/30

Site B with several VLANs in 10.177.0.0/16
Uplink interface VLAN 10.0.0.2/30

What are me missing to establish a new path toward the new VPN link?

How to set priority to the L2 link?

Config template as reference would be appreciated.

Comments

  • Is this what you are looking for?

    Use a Branch Office VPN for Failover From a Private Network Link — Configuration Example
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/configuration_examples/vpn_failover_config_example.html

  • Well, not exactly. I tried to set it up today and I faced an issue. The Firebox is automatically tying the default route to the External interface (0.0.0.0/0).

    In fact we have Sites A & B linked over private net link and internet access on both sites. (Site A to local ISP, Site B to Starlink)

    All internet traffic from site B must go over private link to reach to the internet gateway on site A.

    What would be the solution to route all traffic (0.0.0.0/0) to site A and failover to vpn on Satellite link (VPN) when private link is down?

    All switches in place are L2+ only. The Fireboxes are the only L3 devices on network.

    Hope this makes more sense ;)

  • Exactly what did you do to implement this?

    What dynamic routing method did you set up?

    If you need specific help, and you have a support contract on at least 1 of the firewalls, you can open a support case on this, whch you can do via the Support Center link at the top right.

  • Also, where is your P2P link terminated?
    On the firewall on each end?

  • @Rapetou said:
    Well, not exactly. I tried to set it up today and I faced an issue. The Firebox is automatically tying the default route to the External interface (0.0.0.0/0).

    In fact we have Sites A & B linked over private net link and internet access on both sites. (Site A to local ISP, Site B to Starlink)

    All internet traffic from site B must go over private link to reach to the internet gateway on site A.

    What would be the solution to route all traffic (0.0.0.0/0) to site A and failover to vpn on Satellite link (VPN) when private link is down?

    Assuming that the firewall at site B has 3 interfaces - Starlink, the private link and the internal one, you either need to have MultiWAN setup (if both the Starlink and private links are configured as 'external' type interfaces), or use a SD-WAN rule.

    If a VPN tunnel is used across the Starlink connection at site B to A, and Internet traffic has to also traverse this (zero routing), you'd need to make sure you specify the BOVPN interface in the SDWAN rule at site B that directs traffic to the Internet.

    The question from Bruce_Briggs re where the P2P link is terminated would also need to be answered to determine whether my suggestion is valid or if modifications are needed.

  • Thanks for the hints and recommendations Guys ! I'm about to create a ticket with WG support. I guess it will be a kind of multi WAN setup but can't wait longer to make it working.

    I will come back and post solution for everyone's knowledge

    Stay tuned!

  • edited April 17

    Apparently, the BOVPN is not the right track to use. The FB can't handle it that way and support refuses to brainstorm on the design.

    If you look at the topology attached, the users connected/routed via the T45 (remote site) towards the M290 (Main site) over the L2 private link network.

    In "normal operation mode" all flows should go through the L2 link for servers and web access. The back VPN should only be used when the logical L2 link between both FB is down.

    Keeping in mind that the switches do not support L3 features. What would be my options with the FB in place?

  • The P2P link needs to be connected to each firewall for this to work, not via your switches.

Sign In to comment.