Unable to Access Office Network Resources Over WatchGuard Mobile VPN with SSL

Benin_ChurchilBenin_Churchil
in Firebox - VPN Mobile User

Issue Description:
I have successfully set up a Mobile VPN with SSL on our WatchGuard Firebox T45.
• VPN clients can connect successfully and are assigned an IP from the 10.10.10.0/24 range.
• After connecting, my public IP changes to the office's public IP, confirming traffic is being tunneled.
• I can ping the Firebox gateway (192.168.1.1) but cannot reach any office resources, including our Windows Server (192.168.1.6).
Network Setup:
• Office LAN: 192.168.1.0/24
• VPN Virtual IP Pool: 10.10.10.0/24
• Home LAN: 100.1.10.0/24
• Firewall: WatchGuard Firebox T45
• VPN Type: Mobile VPN with SSL
Troubleshooting Steps Taken:
1. Checked Routing Table on VPN Client (route print)
• The VPN client correctly received a route for 192.168.1.0/24 via the VPN tunnel (10.10.10.1).
2. Verified Windows Firewall on the Server (192.168.1.6)
• Created inbound and outbound firewall rules to allow traffic from 10.10.10.0/24.
3. Checked WatchGuard Firewall Policies
• Verified that VPN clients are assigned the correct network settings.
• No logs in the Traffic Monitor indicate traffic is being blocked.

Temporary Fix Identified by WatchGuard Tech Support:
WatchGuard tech support created a temporary policy using double NAT, making the SSL VPN appear as a local subnet. After this change, I was able to access the server (192.168.1.6).
What I Need Help With:
1. Why is traffic from VPN clients (10.10.10.x) not reaching internal resources (192.168.1.x) without double NAT?
2. Are there additional Windows Server firewall settings that could be blocking traffic?

Any insights or suggestions would be greatly appreciated!

Comments

  • Bruce_BriggsBruce_Briggs

    You may need to add an Inbound Rule to Windows Defender to allow access from
    10.10.10.0/24.
    Give it a try.

    Also, what Windows Server version do you have?

  • Benin_ChurchilBenin_Churchil

    Hi Bruce_briggs,
    As mentioned above I've already added the subnet 10.10.10.0/24 for both inbound and outbound on the Windows Firewall.

    The server is Windows Server 2022 Standard.

  • Bruce_BriggsBruce_Briggs

    Is "Block Edge Traversal" enabled on that Windows Firewall setting?
    If so, try changing it.

  • Benin_ChurchilBenin_Churchil

    I changed it to enable and still not working

  • Bruce_BriggsBruce_Briggs

    You could try a packet capture on the Windows Server.
    Many use WireShark for this.
    And you can add a filter to only see source/dest IP addrs or subnets, ports, etc.
    This should prove if the packets are getting through to the server.

  • Benin_ChurchilBenin_Churchil

    Basic mistake the server's network interface was set to different gateway address and when I changed it it started working!

Sign In to comment.