Mikrotik VPN User

Dear WG Community,

Right now, my company is doing POC for Firebox T55.
The Topology like this :
Internet -- Mikrotik -- Firebox -- Internal Network

Everything seems OK, but when we connect to VPN (the VPN server on Mikrotik),
it's connected, but can't access to internal Network. It's blocked by firebox.

The question is, how to passthrough VPN Connection from Mikrotik throuh Firebox ?

Thank You

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @YosefR

    You'll need to make inbound policies on the firewall. To the WatchGuard device, the Microtik VPN users are external (it looks like they're just coming from the internet.)

    If you're using NAT on the WatchGuard, you'll need to make a 1-to-1 or Static NAT (SNAT), then add that to a policy. If you're not using NAT on the WatchGuard, you'll just need to make an inbound policy.

    Here's a quick article that can get you started with Static NAT:
    https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3K1SAI&lang=en_US

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Whenever I have a non-bridgeable ISP device in front of a Firebox, I just add the Firebox' WAN IP to the ISP device's DMZ. SSLVPN works perfectly that way and all other inbound ports hit the Firebox.

    Gregg Hill

  • @James_Carson said:
    Hi @YosefR

    You'll need to make inbound policies on the firewall. To the WatchGuard device, the Microtik VPN users are external (it looks like they're just coming from the internet.)

    If you're using NAT on the WatchGuard, you'll need to make a 1-to-1 or Static NAT (SNAT), then add that to a policy. If you're not using NAT on the WatchGuard, you'll just need to make an inbound policy.

    Here's a quick article that can get you started with Static NAT:
    https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3K1SAI&lang=en_US

    Thank you,

    Hi James Carson,

    Thank you for your answer. Will try it tommorow and I will post the result.

  • @Greggmh123 said:
    Whenever I have a non-bridgeable ISP device in front of a Firebox, I just add the Firebox' WAN IP to the ISP device's DMZ. SSLVPN works perfectly that way and all other inbound ports hit the Firebox.

    Hi @Greggmh123 thank you for your information and Noted.

Sign In to comment.