multi wan setup question
hello m270 + fireware 12.9 + mixed routing + multi wan with failover. no vlan
one of the externals is 1-1 natted to an ip block on a trusted interface for internet servers
I want to get rid of the policies that keep traffic for the servers inside the firebox to the natted ips so I can do things like traceroute, iperf, between the external ips etc over the internet.
making a rule internal-home to external-home (or any-external/sd-wan with external-home first) with nat checked off in the policy doesnt get the desired result. It's not sending traffic for the external ips on the other nics to the internet like I want.
is there a kb for that?
0
Sign In to comment.
Comments
Use SNAT on incoming policies instead of using 1-to-1 NAT.
Then remove the 1-to-1 NAT entries.
Note that for SMTP servers, on your outgoing SMTP policy from the SMTP server, you need to set the Advanced DNAT IP addr to the desired public IP addr, so that the outgoing SMTP matches your MX record.
Thanks for the suggestion.
Moved from 1-1 nat to snat without issue, but still cant seperate into two isolated networks
Logging is set to info.
Best I can do is make rules to get the traffic out on the right external - or so the log says - but nothing after that. No ping, no log.
Please explain: No ping, no log.
ping out from internal1 via external1 bound for ip on external 2.
See in the firebox log the traffic went to external1.
Doesnt seem the traffic is coming back. There's no log prompting me what to do next.
You can do packet captures on a firewall interface using TCP Dump which should at least indicate if the pings are being received on external 2, which I expect is so.
TCP Dump from WSM
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
From the Web UI
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/fireware_webui_diagnostics_network.html
You can open a support case to get WG help in understanding why this does not work as you hope.
Could be related to the routing table entries which include IP addrs/subnets for both external interfaces.