VPN Site-to-Site tunnel route traffic internet traffic

Hello,

We have set a VPN site-to-site connection to an external company.
All is working so far, but we want that the traffic off the internal servers are routed by our gateway and not over the gateway from the external branch.

For the VPN tunnel we use a 1:1 NAT Setting for 4 internal servers, which are routed through the VPN tunnel to the external gateway.
So all traffic from the internal servers are routed through the external gateway.

Do you know how I can modify the VPN policy, that the internet traffic for the 4 internal servers are routed by our firwall and not via the gateway off the vpn site firewall?

Thanks and regards,

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    HI @yoface

    The article here goes over how to set a zero route for those VPNs so your internet bound traffic traverses the VPN:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_default_route_c.html

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    HI @yoface

    The article here goes over how to set a zero route for those VPNs so your internet bound traffic traverses the VPN:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_default_route_c.html

    Hi James,

    thanks for your help! I have one question regarding the dynamic NAT. In our vpn policy we have configured a 1:1 NAT for each server to the remote gateway.

    Do I need to change the 1:1 NAT to dynamic NAT to get the traffic routed by our firebox?

    thanks!

  • Is this a standard (not virtual interface) BOVPN ?
    If so, what is your current Local & Remote entries on the Tunnel setup?

    What needs to be accessed from your end by the remote end besides the 4 servers?

    Note that if these servers are being accessed from the Internet, then after this change, they would end up being accessed by a public IP addr from your site.

  • Curious, why do you need a 1:1 NAT at all? Why not just limit what resources can be accessed within your trusted network with Phase 2?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @yoface
    The dynamic nat is just so the firewall will properly handle traffic coming from the BOVPN. No change should be needed for your 1:1 unless you're using that to somehow send traffic across the tunnel.

    -James Carson
    WatchGuard Customer Support

  • edited May 2022

    The 1:1 NAT is needed cause the opposite already uses the private ip range, so we had to rewrite the IPs from the server to another range via NAT so the other side can handle the traffic.

    From the opposide its only allowed to make RDP connections to the internal servers via the VPN tunnel.

    I tested the outgoing traffic from our servers with an https request, and the packets are dropping after reaching the firebox .

    Dynamic NAT is already activated on the firebox. But I am not sure why the http request packets are dropped by the firebox.
    I added a firewall policy with allowing https and https traffics from the internal servers to any external, but still they have no internet connection.

    What do I have to configure especially?
    Are these route entries the problem, that all traffic from the internal servers are redirected to the remote gateway?



  • FYI - there is no need to hide private IP addrs. Showing them is not a security risk.

    What is your current Local & Remote entries on the Tunnel setup?

    From the Traffic Monitor post, it looks like a 10.xx.x.x IP addr is getting converted to a 172.x.x.x IP addr which suggests that the packet is going over the BOVPN, thus the need to see the Local & Remote entries.

  • @Bruce_Briggs said:
    FYI - there is no need to hide private IP addrs. Showing them is not a security risk.

    What is your current Local & Remote entries on the Tunnel setup?

    From the Traffic Monitor post, it looks like a 10.xx.x.x IP addr is getting converted to a 172.x.x.x IP addr which suggests that the packet is going over the BOVPN, thus the need to see the Local & Remote entries.

    Ok thanks for the info!

    You mean the local and remote gateway endpoint settings?

  • edited May 2022
    No
    The Tunnel Local & Remote IP addrs/subnets
  • @Bruce_Briggs said:
    No
    The Tunnel Local & Remote IP addrs/subnets

    I guess you mean this local & remote entries?

  • edited May 2022

    Nothing that I see indicates that all traffic from your 4 internal servers should go via the BOVPN - only traffic from those 4 Local IP addrs to 172.20.1.50 should traverse the BOVPN.

    Verify that you do have Dynamic NAT entries for:
    192.168.0.0/16 - Any-external
    172.16.0.0/12 - Any-external
    10.0.0.0/8 - Any-external
    You can see these in the Web UI in Network -> NAT

    If so, you should open a support case so that a WG rep can look at your config and find out why this is not working as desired.

  • Ok thanks anyway for your help!

    Will open a ticket on our ISP provider which installed the watchguard

  • Hey all,
    still this problem is open on my watchguard. I did some troubleshooting and maybe someone know what this error in the traffic monitor is saying.

    I tried to open google on a browser on an affected server, which is in the VPN tunnel. And the traffic monitor is saying this. Do you know what it mean or what I could check, so the Servers in the 1:1 NAT are able to reach the internet?

    2023-03-06 10:25:45 FW1 https-proxy 0x369e8ca0-73471009 621: 10.44.1.72:56109 -> 23.36.224.131:443 [A t] {B} | 664: 172.24.85.72:56109 -> 23.36.224.131:443 [!B fc] {B}[P]: failed to connect B channel Debug 2023-03-06 10:25:45 FW1 pxy 0x369e8ca0-73471009 connect failed Connection timed out 621: 10.44.1.72:56109 -> 23.36.224.131:443 [A t] {B} | 664: 172.24.85.72:56109 -> 23.36.224.131:443 [!B c] {B}[P] Debug 2023-03-06 10:25:47 FW1 https-proxy 0x37971d80-73471378 3173: 10.44.1.72:56110 -> 23.0.174.138:443 [A txr] {B } | 3174: 172.24.85.72:56110 -> 23.0.174.138:443 [!B fc] {B}[P]: failed to connect B channel Debug 2023-03-06 10:25:47 FW1 pxy 0x37971d80-73471378 connect failed Connection timed out 3173: 10.44.1.72:56110 -> 23.0.174.138:443 [A txr] {B } | 3174: 172.24.85.72:56110 -> 23.0.174.138:443 [!B c] {B}[P] Debug

  • "Connection timed out"
    "B channel" is the firewall connecting to the remote web server.

    The firewall could not connect to 23.36.224.131 using HTTPS

    23.36.224.131 is a23-36-224-131.deploy.static.akamaitechnologies.com
    and is located in Zurich Switzerland

  • Ok thx for the info. But I cant connect to any website on the internet, is there something that is missing in the watchguard?
    I created a web rule to allow the traffic from the source IP 172.24.85.72 to the internet via a https-proxy, but still not working.

  • edited March 2023

    What does a tracert show from this server to an IP addr on the Internet.

    The 1-to-1 NAT settings - are these in the BOVPN Tunnel settings NAT tab or in the Network -> NAT settings?
    They should be in the BOVPN tunnel settings

  • @Bruce_Briggs said:
    What does a tracert show from this server to an IP addr on the Internet.

    The 1-to-1 NAT settings - are these in the BOVPN Tunnel settings NAT tab or in the Network -> NAT settings?
    They should be in the BOVPN tunnel settings

    Thanks a lot ! It seems working now.

    The 1-to-1 NAT where in the Network - NAT settings

    I added it in the BOVPN Tunnel and removed it from the network settings. Now I got a internet connection

  • To soon pleased. It seems from the opposite network they cant reached the server anymore.

    The 1-to1 NAT settings were as follow:

    The Firewall Policy is active with follow setting:

    From 172.20.1.50 Allo RDP 3389 to 172.24.85.70 - 75 and 10.44.1.70-80

    But no RDP session is possible from the opposite via VPN.

    Did I something wrong?

  • Is the remote site accessing the NAT IP addr?

  • On what firewall are these settings?
    The local one or the remote one?

  • The settings are on the local firewall and the remote site is accessing the NAT IP with RDP.
    Is there a problem on the local firewall ?

  • So 172.20.1.50 can't access 172.24.85.71 ?

  • Anything in Traffic Monitor for 172.20.1.50 when the RDP connection is tried ?

    You can turn on Logging on your RDP policy to see log entries in Traffic Monitor for packets allowed by the policy.

Sign In to comment.