Wireless geo_src location is wrong

usifirebox · April 12

I just setup a new T45-W-POE and when setting up the wireless it chooses United States correctly in the setting but any data packets all state they are coming from Brazil. Geolocation subscription was blocking Brazil, so I know it legitimately thinks its Brazil. I have setup several of these and never encountered it. This only happens in the built-in wireless and not the Lan. Here is a sample log entry: 2024-04-12 07:46:11 Allow 200.200.200.2 52.113.194.132 https/tcp 61263 443 USI-FW External HTTPS Request (HTTPS-proxy-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="Default-HTTPS-Client" action="allow" geo_src="BRA" geo_dst="USA" sent_bytes="1339" rcvd_bytes="6969" tls_version="TLS_V12" tls_profile="TLS-Client-HTTPS.Standard". And this is in Indiana.

james.carson · April 14

Hi @usifirebox

Why are you using non RFC1918 addresses as a private subnet? Since this traffic is just going to be NAT'ed going outbound, this doesn't add any security to the network.

RFC1918 reserved address space for private networks:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

You'll need to make a geolocation exception for whatever subnets you're using that are real IP bases in real countries if you need to use those addresses internally. Since your internal network is using 200.200.200.x you won't be able to access 200.200.200.x externally.

(Geolocation Exceptions)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/geo/geo_exceptions_c.html

Additionally, please make sure that you've added any new non-RFC1918 networks to your Dynamic NAT rules, or the firewall will not NAT this traffic.

(Network Dynamic NAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_dynamic_firewall_add_c.html