Route Internet Traffic from 1 VLAN (subnet) at site B via site A

We have 1 current Watchguard Firebox at site A and 1 current Watchguard Firebox at site B.
Both sites have multiple VLANs that are assigned IP addresses by the Firebox via VLAN interfaces using DHCP.

We would like to route all traffic to the Internet via site A for a VLAN at site B.

Currently there is a tunnel via BOVPN Virtual Interface between both Fireboxes.
We tried to implement the routing via a policy using SD-WAN, but unfortunately it did not work - possibly a thinking error during configuration.

Can this requirement be solved at all with the two Fireboxes without an additional router? If yes, how would you configure this?

Any help would be really appreciated.

Regards,
Daniel

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Daniel,

    You can do this via a zero route on the VPN tunnels.

    If you're not doing this for all of your VLANs, I would suggest using a standard BOVPN (Branch Office VPN) gateway/tunnel pair, vice a BOVPN Virtual Interface.
    The standard tunnel pair forces you to make a route for each network, but because of this allows you to control the route for each one (meaning you can select the ones you want to zero route across the tunnel.)

    See:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_default_route_c.html

    -James Carson
    WatchGuard Customer Support

  • Hi James.

    Thank you very much for your suggestion. We will test that today.
    In the concrete case only the routing of a single VLAN is needed.

    Out of curiosity, would this also be solvable with a BOVPN Virtual Interface and Policy with SD-WAN configured?

    Best regards,
    Daniel

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Daniel,

    Thanks for the reply.

    As far as I'm aware, you'll need to make the zero route.

    If you're trying to send site A thru site B's firewall, site A doesn't know there's an SD-WAN policy on firewall B's BOVPN rules. The zero route on site A's VPN route tells the firewall to send EVERYTHING across the tunnel.

    -James Carson
    WatchGuard Customer Support

  • I don't believe that you can have a zero route BOVPN using a BOVPN Virtual Interface setup.

  • Hello all.

    The suggestion from James works well so far - thank you:

    Side B (VLAN 2) sends all data via side A:
    BOVPN and tunnel #1 with null route as suggested by James.

    Furthermore on side B the VLAN 1 respectively the subnet is routed to another subnutz on side A:
    Tunnel #2 with the two subnets cross configured on both sides.

    What makes me a bit suspicious is that the bandwidth is limited:
    [SUM] 0.00-10.04 sec 150 MBytes 126 Mbits/sec sender
    Side A is on the network with 10gbit symmetric, side B with 1gbit symmetric.
    We have a similar phenomenon on the SSLVPN. Could this be due to the non-configurable buffer size?

    What also still confuses me is BOVPN Virtual Interface. Everyone always talks about the high flexibility of the solution, due to Policy Base Routing (new via SD-WAN), which seems logical at first glance. Unfortunately, I have no experience with Policy Based Routing or SD-WAN at Watchguard, so I still do not fully understand why my requirement from the very beginning cannot be implemented with it:
    Once the BOVPNVif tunnel A-B is in place, you could build a policy in which the tunnel is configured at site B FROM: any TO: BOVPNVif. With the SD-WAN action one would then give a new SD-WAN interface, which has exactly one interface configured: namely the BOVPNVif created at the beginning.

    I found out that it does not work, but why not? :D

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @daniel_maier As far as I'm aware, VIFs can work if you make them symmetric. I'll see if the docs team can make an example scenario where the VIF would work. Under most circumstances, a standard gateway/tunnel pair are going to be the most flexible for this kind of thing. (You can actually still apply SD-WAN policies to the traffic that arrives at the destination firewall via either method.)

    The bandwidth issue could be quite a few factors. I'd suggest starting by using a tool between your two sites that can measure bandwidth (both across the tunnel, and from point to point without the tunnel.) iperf is a good free choice (just be aware it reports in Mbit/s ant not Mb/s

    https://www.techtarget.com/searchnetworking/definition/Mbps

    It may also come down to protocol, latency, tunnel settings (higher DH settings, for example, can drastically slow transfers but offer higher security.)

    If you'd like, our team can help look into it via a support ticket if that's helpful (you can open one via the support center link at the top right of this page.)

    -James Carson
    WatchGuard Customer Support

  • @daniel_maier

    re. - I found out that it does not work, but why not?

    For your virtual interface setup, I think that you would specify the interface name in the SD-WAN setting on your policy, not in the To: field.
    The To: field should include the destination subnet(s) etc. - but in this case I think that it would be "Any", as you want all packets to go via the interface in the SD-WAN setting.

    If my thinking is wrong, I'm sure that James will correct me.

  • edited December 2022

    @Bruce_Briggs said:
    @daniel_maier

    re. - I found out that it does not work, but why not?

    For your virtual interface setup, I think that you would specify the interface name in the SD-WAN setting on your policy, not in the To: field.
    The To: field should include the destination subnet(s) etc. - but in this case I think that it would be "Any", as you want all packets to go via the interface in the SD-WAN setting.

    If my thinking is wrong, I'm sure that James will correct me.

    Of course that was nonsense I wrote there...it was already late in Germany :-)

    The configuration of the policy looked of course with the BOVPNVif:

    From: VLAN2 or Network IPv4 To: Any
    In the SD-WAN action I configured an interface, namely the existing BOVPNVif tunnel.

  • @james.carson said:
    @daniel_maier As far as I'm aware, VIFs can work if you make them symmetric. I'll see if the docs team can make an example scenario where the VIF would work. Under most circumstances, a standard gateway/tunnel pair are going to be the most flexible for this kind of thing. (You can actually still apply SD-WAN policies to the traffic that arrives at the destination firewall via either method.)

    The bandwidth issue could be quite a few factors. I'd suggest starting by using a tool between your two sites that can measure bandwidth (both across the tunnel, and from point to point without the tunnel.) iperf is a good free choice (just be aware it reports in Mbit/s ant not Mb/s

    https://www.techtarget.com/searchnetworking/definition/Mbps

    It may also come down to protocol, latency, tunnel settings (higher DH settings, for example, can drastically slow transfers but offer higher security.)

    If you'd like, our team can help look into it via a support ticket if that's helpful (you can open one via the support center link at the top right of this page.)

    I made the measurements with iPerf :-)
    I will experiment the days times with the settings of the BOVPN, which you have mentioned. Possibly the performance improves. If not, I'll open a ticket.

    Regardless, an example scenario with BOVPN Virtual Interface would of course be very exciting.

Sign In to comment.