prod editing - help please

The problem is that monday I have to do some changes to a watchguard directly in prod, and I don't know really well how to use the webinterface, but I have to.

the scenario is:

site 1 lan -> watchguard with 2 wan -> site 1 isp MPLS ipsec to site 2 isp MPLS - firewall (that i don't have to care about) - 1 private ip site 2 to reach

I have to set up that only 1 private ip of site 1 lan can reach the specified private ip of site 2

I have also this data:

private ip of site 1
10.10.10.201

natted source ip before enter in tunnel ( this tunnel should be the ip sec, so this nat i think should carry about the isp, am i wrong ? )
10.13.10.132

real destination ip address site 2
10.50.20.0/24

ip address to reach in site 2
10.50.20.66 port 5656

So, I have to specify that only 10.10.10.201 can reach 10.50.20.66 port 5656 using the wan 2 of the watchguard of site 1

How can I do ? what are the exactly step and procedure ? Please help me :)

best regards

Comments

  • Sounds like you need to set up a Branch Office VPN (BOVPN).
    On the Gateway, you specify your local WAN to use and the other end WAN interface.
    On the Tunnel setting you specify the local & remote IP addrs/subnets for the tunnel.
    You can also specify a 1-to-1 NAT setting on the Tunnel setup.

    If you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed.
    If not, add a custom packet filter policy for TCP port 5656.

    The online docs are searchable.
    start here:
    Manual Branch Office VPN Tunnels
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/chapters/manualbovpntunnels.html

  • There are some BOVPN setup examples for both WSM Policy Manager and for the Web UI, here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/support/configuration_examples.html

  • thanks for the reply, but no i don't have to set up the vpn cause the ipsec is carried about the isp with the mpls.
    i have only to specify an outgoing policy.

    If i am right, all the traffic not allowed is block, so it's enough I specify a custom packet filter policy for 5656 from the ip I would like.

    is this correct ?

    thanks
    best regards

  • Correct, all the traffic not allowed is blocked, however, IF you have an Outgoing policy in your config, then outgoing access on port 5656 will already be allowed out of the firewall, to anywhere.

    Use SD-WAN on the 5656 policy.

  • Explain "natted source ip" and 10.13.10.132.
    Is 10.13.10.132 the WAN2 external IP addr ?

  • thanks for the reply ... that's the problem also
    I have a sheet with this data from the customer, but no idea, I suppose it is the ip address of the mpls ipsec .. but not sure.

    any idea ?

    really thanks for the time

  • You need to find out what it means.
    We can't help any more without that info.

  • You can see your WAN interface IP addrs in the Web UI -> Dashboard -> Interfaces

  • edited March 2023

    yep i know it thanks.. and obviusly the wan2 has a public ip address that is not in the sheet i reported
    wan2 public ip address let's say 2.2.2.3

  • hi all, i have another question about this topic..

    if from diagnostic of firewall .. i ping a private ip of site b
    schema:

    watchguard firewall
    wan2
    isp mpls
    wan of site b
    lan

    the reply of that ping is allowed to get back to the firebox ?

    really thanks

  • edited April 2023

    One would expect so, assuming that something is not blocking the initial ping, or that there is not a routing issue.
    Try using tracert instead of ping.

  • yep i did it, but also with the correct route setup it stuck on the wan ip address so i suppose it is an isp problem

  • Does a tracert work from behind the firewall?

    Since you have 2 WANs, on you tracert from the firewall, you need to make sure that the tracert is going out the correct WAN interface. You can do that by using the Advanced Options and specifying the interface to use in the Arguments field

    Run Network Diagnostic Tasks in Fireware Web UI
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/fireware_webui_diagnostics_network.html

  • under network->route i setup a rule that say all traffic with destination netmask 1.1.1.1/1 has the gateway setup with the ip of wan 2... and works i think, but the trace stuck at the ip of the wan2..should go on the otherside but it doesnt

  • Time to contact your ISP.
    Seems that something upstream is dropping these packets.

  • edited April 2023

    thank you man :) I will keep u update

  • i do not why but to set the route i have to set

    destination subnet: the one i want
    gateway (not the ip of the wan) the router ip of the wan interface

    i assume that this routing has done by the watchguard

    strange

    maybe i am totally wrong :)

  • If you have a support contract on your firewall, you can open a support case with WatchGuard, and get help from a WG rep.

    You can open a case via the SUPPORT CENTER link at the top.

  • r u saying this cause it's a strange behavior ?

  • ok i was totally wrong
    thank you anyway

Sign In to comment.