Route setup
Here is the scenario.
2 T85's. One is in Spokane, one is in Yakima.
Both firewalls have WAN through Fatbeam. Static IP's. Got a BOVPN running between them.
Spokane trusted is 10.1.10.0/24
Yakima trusted is 192.168.253.0/24 and also 192.168.254.0/24
ISP has created a direct link between the site modems that traffic should be able to pass directly over between the sites.
On Spokane WG (10.1 network) I have port 4 on the WG configured as Custom - 192.168.254.14
Within Routes I have;
Route to 192.168.253.0/24 / Gateway 192.168.254.14 / Metric 1 / Nothing listed in interface
Route to 192.168.254.0/24 / Gateway 192.168.254.14 / Metric 1 / Nothing listed in interface
On Yakima WG (192.168 network) I have port 4 on the WG configured as Custom - 10.1.10.14
Within Routes I have;
Route to 10.1.10.0/24 / Gateway 10.1.10.14 / Metric 1 / Nothing listed in interface
Each site has a policy of;
Policy Type Any
From - Any-Trusted, Private WAN
To - Private WAN, Any Trusted
Port - Any
When I disable the BOVPN between the sites I can see traffic in the firewall passing between the sites, so you would presume this is it working and doing it correctly. Yet neither site can see file shares, ping, RDP or see phones at the other?
Where did I go wrong?
Answers
You should have 1 subnet defined for the interconnection between each firewall, on port 4 on each end.
Example:
Set port 4 on Spokane to 192.168.252.14/24
Set port 4 on Yakima to 192.168.252.15/24
Spokane
Route to 192.168.253.0/24 should be the IP addr of the remote firewall's port 4 - 192.168.252.15
Yakima
Route to 10.1.10.0/24 should be the IP addr of the remote firewall's port 4 - 192.168.252.14
Route to 192.168.254.0/24 / Gateway 192.168.254.14 is not needed
Got it set up exactly as you have it.
Disabled the BOVPN's currently running between the sites.
I can see traffic moving back and forth over the PrivateWAN yet the client reports not working. They cannot see files shares, phones will not connect and cannot RDP to a server on the opposite side. Even though I can see the outgoing 3389 RDP traffic passing over and the corresponding incoming 3389 on the other side, they report it doesn't connect?
I have a Policy in place;
Type - Any
From - Any-Trusted, Private WAN
To - Private WAN, Any-Trusted
Port - Any
Logging only, no services, just to monitor the traffic.
What do you see in Traffic Monitor on each site, when a test RDP is tried to a device at the other site.
Can Is end you this as a private message with a couple of screenshots from the logs. Would rather not have them fully displayed publicly.
In the logs, it shows that the BOVPN coming up.
To really use this, you need to have the BOVPN removed.
Or set up the BOVPN as the failover path.
Configure a Branch Office VPN for Failover from a Leased Line
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
The BOVPN will always be tried for for packets matching the BOVPN settings unless the above method is set up.
And inconsistent results will happen when there are 2 paths that packets can take.
Do you think the BOVPN needs to be completely removed from the configuration?
So far I have just been disabling the BOVPN gateway on each side so that it doesn't try and connect.
That was it! Thank you very much.
Deleted the BOVPN setup instead of just Disabling it and everything kicked on and started working. Even had to remove very old BOVPN settings to a long gone site/subnet that wasn't involved in routing in any way!