Complicated Routing of Web Traffic Through BOVPN

The title seems easy enough but it's more complicated. From a remote location, datacenter where cloud desktops are hosted, users are trying to access a website and get 403 forbidden, this is due to an issue with Google WAFs and the IP range being marked as a provider range (relaying from another tech).

So we need to route the traffic to this single website through the BOVPN with the watchguard being on the client side.

I can get the traffic to hit the local network but the traffic never forwards out to the internet after it hits the firebox. With Palo Alto I'd do this with PBF and NATs but I'm running into issues on the watchguard.

To give an idea of the traffic flow:

Cloud Desktops - 10.10.10.x
Local LAN - 192.168.1.x
Proxy Address for PBF from Palo Alto to force traffic from the cloud desktops over the VPN tunnel to the local LAN - 10.10.100.244
Public IP of website - 35.80.114.212

I can get traffic from the cloud desktops to the watchguard. It hits the watchguard with a destination nat of 192.168.1.200 however it stops there. The traffic never forwards out or returns traffic.

Any help is appreciated

Comments

  • To me, the dest IP address needs to the public IP address of the destination site, not an internal IP address at the WG site

  • james.carsonjames.carson Moderator, WatchGuard Representative

    There would need to be a route in your BOPVN tunnel to handle traffic to that public IP if it's a standard BOVPN Gateway/Tunnel pair. If it's a BOVPN Virtual Interface, it should work so long as the routes are in order.

    If you're not seeing any logs from the firewall and the connection is TCP, it's likely not completing - only TCP connections that actually complete get logged. Try sending a ping - provided your firewall rules allow it, you should at least see the outbound ping (in theory) in your logs even if there is no response.

    I would suggest opening a support case so that the support team can take a look at your configuration and help from there.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.