Options
Route entry does not seem to work
I am trying to access another network from a BOVPN. But when doing a trace it just goes out the Wan Interface on my Main Firewall. I have another Firewall at the Home Office and I am trying to route packets to it. Its like the BOVPN does not use the routes on the Office Firewall. So Site A sends a packet to this other Network. It goes over the BOVPN to the Main Firewall. From there I want to go to the other Firewall thats on the same Lan as the Main Firewall. But instead goes out the Wan interface. I believe it has to do with how the BOVPN is setup in the Policies. Site A can ping the Firewall I am trying to route to.
0
Sign In to comment.
Comments
A virtual BOVPN works with routes.
A standard BOVPN works with settings on the Tunnel setup.
For a standard BOVPN, you need to have entries for all subnets that you want to reach at the other end of the BOPVN on the Tunnel setup. The other end need matching entries.
If you have a daisy chain of firewalls, the BOVPN Tunnel settings at each of the locations needs to have all of the subnets involved that need to go via the BOVPN connections.
Not sure what virtual bovpn is.
On the tunnel setup at Site A its configured as follows
Local Network - Bi-directional - Any IPV4
Wouldn't that cover it? Basically the VPN is setup to send all traffic over the tunnel. The Main Firewall then receives it and just sends it out the Wan.
The tunnel policy was created automatically so I can't change it.
Are you suggesting creating a Custom BOVPN Policy?
Does the Network Route that is on the Main Firewall point to the other firewall's external interface IP addr in the Gateway addr field ?
Does the Network Route have the subnet behind that firewall in the Network Route in the Route To field ?
Here is a rough Diagram. There are reasons why I am using the Sonicwall for the VPN instead of the Main Firewall to make the connection to the 3rd Party Firewall. VPN is up. Configured Workstation to use x.x.210.10 as GW and its able to ping 25.25.61.130 for testing to verify VPN is working.
Just to verify - x.x.210.90 with a gateway of x.x.210.02, a ping/tracert to 25.25.61.130 goes out to the Internet, correct?
I can't think of any reason that the Network Route is not working, other than a typo.
You can review the Routes on the firewall in Firebox System Manager -> Status Report, or in the Web UI -> System Status -> Routes
For the record, what firewall model is Main Firewall, and what Fireware version is it running?
I can't say about the 210.90 going straight out to the internet. I want to say no on that. Before using a VPN to the 3rd Party Firewall we were using a T1. It had an address of x.x.210.9 and it worked for everyone. I had a route in the Main Firewall to use that as the gateway for the 25.25.61.130. And everything was working. T1 went down so I tried switching to VPN. Changed the route on the Firewall but it still wouldn't work. Maybe the problem is on the Sonicwall. Although I can ping the Sonicwall from x.x.222.10. Just not sure why routing is not working for the .130 server.
Main Firewall is a M370 and the Site A is a T70. All updated to latest.
Thanks for your help by the way.
Do have a test made from x.x.210.90 or something on the x.x.210.xx subnet the with a gateway of x.x.210.02 to 25.25.61.130 to see where it goes - out to the Internet or to the Sonicwall.
If it goes to the SonicWall, then the Network Route is working on Main Firewall.
If not, then it isn't.
If the Network Route is working, my only other thought is that somehow the SonicWall is redirecting the packets from x.x.222.10 to the Internet.
To verify this, you can do packet captures on the Main Firewall using TCPdump.
Using the Advanced settings you can specify an IP addr to capture and the interface.
For Firebox System Manager:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
You can also do this from the Web UI.
Examples on TCPdump paramters, here:
https://danielmiessler.com/study/tcpdump/
In your diagram, you have 2 devices shown as "Workstation".
In this statement - "Configured Workstation to use x.x.210.10 as GW and its able to ping 25.25.61.130 for testing to verify VPN is working.", which device is this? x.x.222.10?
If x.x.222.10, then clearly the Sonicwall is not redirecting the packets from x.x.222.10 to the Internet.
Which suggests an issue with the Network Route.
New Testing.
I can confirm that x.x.210.90 is sending the pings to the Sonicwall Firewall and they are working.
x.x.222.10 sends it through the Wan on my Main Firewall. It does not get routed over to the Sonicwall. But its able to ping the Sonicwall just fine.
Any machine on the x.x.210.x network is able to ping .130. So routing is working locally but not for any of the BOVPN. Seems like routing is ignored.
Time for a support case on this
I think so