BOVPN - Policy for single IP address

We have 3 devices (M370 and (2) T55's) connected via BOVPNs. I would like to create a policy with special rules for acessing a single IP address across the VPN. Is that the purpose of the Member type "Tunnel Address"

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Jreedtbf,

    You could do this by specifying using the Add Other, and choosing tunnel address, yes.

    For instance, you could say

    FROM any-trusted
    TO (tunnel address) 192.168.10.100 : Any BOVPN (or specify the tunnel by name.)

    If you do this, make sure you disable the default BOVPN policy for that tunnel or the firewall will just match that rule when it gets to it for the other traffic.

    -James Carson
    WatchGuard Customer Support

  • edited October 2019

    James, thanks for the reply.

    Basically my thought is that I want to enable QoS on one IP going across the tunnel so a single policy for this IP with QoS enabled is the way to go. All other traffic would match the default BOVPN policy.

    It looks like I have some traffic going across this policy now so it must be working. Im not real fimiliar with QoS so Im not sure what the best settings are to make this work. This is a Voip connection...is there a recommended setup for this?

  • edited October 2019

    Which suggests that this policy is not being used to allow the traffic.
    Is this policy above the general allow BOVPN traffic policy ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @jreedtbf

    QoS isn't supported across a BOVPN -- the 802.1q flags will just get stripped as there's no spec way to encapsulate that traffic via IPSEC.

    You can enable TOS for IPSec, but that's a global setting, and some ISPs may drop it.

    (About Global VPN Settings) -- Enable TOS for IPSec
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html

    -James Carson
    WatchGuard Customer Support

  • Oh, that makes sense why it hasn't helped then. My knowledge and understanding of QoS is very limited as you can tell.

    Let me ask this. The phone systems are on connected to my internal interface communicating via private IP over the VPN.

    If I change them to communicate via public IP, will QoS work in that scenario? I assume that depends on whether the ISP strips the QoS marking. Would I need to enable the prioritize based on QoS marking on both the internal and external interface?

  • QoS will not apply to packets going out over the Internet unless you have some sort of QoS agreement with your ISP.
    If the remote firewalls are not connected to your main firewall ISP, then that is another potential issue.
    To me, QoS only helps get high priority packets out a specific firewall interface faster if that interface is highly utilized.

  • Thanks Bruce. I really might be on the entirely wrong track with troubleshooting this issue. Getting jitter on one end and echo on the other. Its like a needle in a haystack.

  • Perhaps using a tool such as PingPlotter to a remote firewall external IP addr, and also through the BOVPN can show if latency is part of your problem.
    www.pingplotter.com

Sign In to comment.