NAT from trusted to internal

I'm new to watchguard and wonder, how to forward a request from a trusted interface to an internal ip an an other (vlan) interface.

A branch is connected via MPLS to this trusted interface. If a client on this branch does a DNS requests to 192.168.156.1 (internal ip), I want to forward this to 192.168.156.2 (internal ip). SNAT seems not be an suitable option, since it only works for external and optional interfaces. I can NOT change the IP clients behind this trusted interface request (in this case to 192.168.156.2).

Instead I must handle it on our side and forward it to the correct destination. There should be a better option than chaning this interface from trusted to optional or external, right?

Thanks.

Comments

  • There is a DNS forwarding option - for when the DNS packet goes to a firewall interface IP addr.
    Perhaps this will work for you.

    About DNS Forwarding
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dns_forwarding_about.html

  • I tried this but it has no effect, is there any pitfall? Firebox is not DHCP for this interface.

  • No pitfalls. This only affects DNS packets which go to a selected firewall interface IP addr. Nothing else.

    DHCP should have nothing to do with this.
    Is 192.168.156.1 the primary IP addr of this MPLS connection interface?
    If so, and you have set up the DNS forwarding correctly, then the DNS packets coming to that firewall interface should get forwarded to the DNS server IP addr that you specified.

    Since you say that this is not working, then you should open a support incident on this to get help from WG in resolving this.

  • No, this MPLS interface has a different IP address on a different subnet. The DNS query just passes this interface but has the destination 192.168.156.1 and should be forwarded to 192.168.156.2.

  • Can 192.168.156.1 also be assigned to the DNS server?

    SNAT can only apply to an IP addr associated with a firewall interface.
    Is 192.168.156.1 an IP addr on a firewall interface?

  • What is 192.168.156.1 ?

    Why can't the devices at the end of the MPLS have the DNS server IP addr being used changed from 192.168.156.1 to 192.168.156.2 ?

  • 192.168.156.1 ist not an ip address of a WG interface, but a local DNS Server. For this branch not ...1 should answer DNS queris, ...2 should do this job.

    There are no real technical reasons devices at the end of the MPLS can't use ...2 directly, rather political.

  • I can't think of a solution to your problem via XTM.

    It looks like some DNS servers support views which allow different answers based on the source IP addr/subnet of the DNS query.
    https://www.zytrax.com/books/dns/ch7/view.html

Sign In to comment.