Azure Expressroute BGP configuration
Azure Expressroute requires the use of two networks and BGP for the setup.
The two networks are /30 network so lets assume we use 192.168.255.0/30 and 192.168.255.4/30. This would mean that your internal interfaces will have IPs 192.168.255.1 and 192.168.255.5 while the Microsoft side will have 192.128.255.2 and 192.168.255.6.
Lets assume that you want to advertise the following networks for your office network 192.168.0.0/24 and 192.168.1.0/24. Lets assume that the networks that are in Azure are 192.168.100.0/24 and 192.168.101.0/24.
The BGP setup on the WatchGuard will then look like:
router bgp PrivateBPGNumber
bgp router-id 192.168.255.1
bgp router-id 192.168.255.5
network 192.168.0.0/24
network 192.168.1.0/24
neighbor 192.168.255.2 remote-as 12076
neighbor 192.168.255.6 remote-as 12076
neighbor 192.168.255.2 password ThePassword
neighbor 192.168.255.6 password ThePassword
Firewall rules are setup to allow all traffic to and from the local networks to the Azure networks.
The problem that then occurs is that the WatchGuard sees both networks 192.168.100.0/24 and 192.168.101.0/24 on both interfaces and then starts blocking traffic on one of the interfaces as spoofed.
What is missing from the setup?
Answers
Hi @DanielBarten
The firewall marks traffic as spoofed when it arrives via an interface that it isn't expecting. This usually happens if the route the traffic comes in / leaves via is asymmetric
Take a look at the spoofing log that you're seeing traffic denied on. Is it arriving where you expect it to be?
You can turn spoofing off globally in Default Threat Protection as a test -- does the traffic flow then?
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/default_pkt_handling_opt_about_c.html
-James Carson
WatchGuard Customer Support
Daniel, Did you ever figure this out? I am looking to do something similar. The ExpressRoute connection has to interface with an Azure Virtual Network Gateway first right? Then will that gateway send the BGP routes to the Watchguard NVA?
I have a BOVPN setup on the Firebox NVA right now and I was hoping to get it working as a failover to the Expressroute connection.