BovpnVif goes one way

LeonidLeonid
in Firebox - VPN Branch Office

Hello,
I have two Fireboxes connected via BovpnVIF. Firebox 1 has network 192.168.21.0/24 with physical interface IP 192.168.21.100, Firebox 2 - 192.168.61.0/24 with 192.168.61.100 accordingly. While everything works fine from behind both Fireboxes I can ping 192.168.21.100 from Firebox2 diagnostic tab, but cannot do the same from Firebox 1. I can see pings on Firebox 2 but they never come back. Can somebody suggest where to look?
thanks

Comments

  • Bruce_BriggsBruce_Briggs

    You can select the firewall interface to use in the Diagnostic Tasks via the Advanced Options.
    On Firebox1,try this for the Arguments:
    -I eth1 192.168.61.100
    where eth1 is the local trusted interface

  • LeonidLeonid
    That works, thank you! I can ping 192.168.61.100 from 192.168.21.100
    Now I need to create a proxy on Firebox1 to go through Firebox2. Is it possible via BovpnVif?
    Thanks
  • Bruce_BriggsBruce_Briggs

    Please explain what you want the proxy is going to do

  • LeonidLeonid
    I need to route IPS update server through it
    Thanks
  • Bruce_BriggsBruce_Briggs

    You have an IPS server Firebox1 and you want that server to get updates to it via a connection to Firebox2 ?

    If so, where are the IPS updates for that server coming from? The Internet?

  • LeonidLeonid
    I have IPS subscription that supposed to regulary get updates.
    Firebox 2 is connected to internet and have a possibility to update IPS from WatchGuard server. firebox 1 cannot be connected to internet, but I do not want all traffic to go through Firebox 2
  • Bruce_BriggsBruce_Briggs

    So you need to route traffic from Firewall1 to services.watchguard.com via Firebox2.

    Does Firewall1 have an External interface?
    If so, I expect that it will be set up as the default route that will then be used to try to download the IPS Updates.

    Option 1:
    have a BOVPN which routes all traffic over the BOVPN - a default route BOVPN.
    Then at Firewall2, you could deny unwanted traffic from the Firewall1 site

    Option 2:
    services.watchguard.com is hosted on azure.
    For me, it is hosted here: wgservices.westus.cloudapp.azure.com, which seems to have a non-changing or not often changing IP addr.
    You could set up a route to that IP addr with a Gateway of 192.168.61.100.
    I have no idea how often the azure IP addr changes.

    You can open a support case to see if anyone at WG can come up with a better option. They can look at your Firewall1 config, and may see other options.

  • LeonidLeonid
    Thank you, Bruce. Could you please explaine how to tell Firebox 1 to go to wgservices.westus.cloudapp.azure.via Bovpn? Should firebox to FQDN via SD-WAN work?
    Thanks
  • Bruce_BriggsBruce_Briggs
    edited March 28

    Q. explain how to tell Firebox 1 to go to wgservices.westus.cloudapp.azure.via Bovpn
    A. By routing

    If you have multiple WANs, then SD-WAN can be used to select the WAN for selected traffic can use. So yes, this could work.

    Do you have multiple WANs?
    If so, what does each WAN connect to?

    Note - it is hard to answer questions such as your recent one without a good understanding of the connectivity of your firewall.

Sign In to comment.