Firewalla Site to Site VPN

Follow

Comments

16 comments

  • Avatar
    Gareth Sargeant

    This sentence :

    "A site to Site VPN setup requires 2 Firewalla boxes at each site."

    should be: 

    "A site to Site VPN setup requires 2 Firewalla boxes, one at each site."

    Correct?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Gareth, Yes, you are right. Corrected. Thanks! 

    0
    Comment actions Permalink
  • Avatar
    atif.ahmad

    I tried setting up site to site with my friend. We share work but do not have same domain etc. 

    ‘’both me and my friend are running fw gold. 
    ‘why do we have to have both firewalls on same account. 

    1
    Comment actions Permalink
  • Avatar
    Schwickert

    Given that the subnets need to be different, for clients and server, how do the subnet masks be set on both sides to make that work?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    As long as the subnet for the client and servers do not overlap, it should be fine. 

    0
    Comment actions Permalink
  • Avatar
    Nathan Thee

    In the example above, having multi-site VPN, will rules also need to be created to allow those subnets at the two client sites? I'm unable to route all internet traffic through the VPN due to asymmetrical bandwidth, so I setup static routes. I'm unable to reach any devices from the two site-to-site VPN clients.

    Any advice would be appreciated.

    I have FWG at "headquarters" and a FWG and FWP for the two clients.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Nathan, 

    Did you ever get an update on this or figure it out?  I have 2 Golds and 1 Gold Plus and I don't want to route all my traffic out of the headquarters.  Defeats the purpose imo.

    0
    Comment actions Permalink
  • Avatar
    Nathan Thee

    Ryan H.,

    I have not received a response. I agree it defeats the purpose. If we all had synchronous Internet connections it wouldn't be a big deal. A majority of the population does not have the luxury.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Figured this out after going through the forums for an hour.  They should add this configuration on this page, but this does work:

    Problem resolved.
    Remove yourself from the VPN Client and add all your "remote" subnets through the Routes.

    VPN Client config
    * Remove the Group or computers from the "Apply To" in the VPN Client.
    * Select VPN for the Internet Outbound Policy

    Routes config
    * Add all the subnets on the server side you need to reach, including the peer site subnets listed in the VPN Client
    * Point the interface for these routes to the VPN client

     

     

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Nathan, if you need help let me know, I'd be happy to jump on a zoom; it was frustrating to say the least. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The common / issue and fixes section has an image of the configuration that will allow one side firewall to be turned off. I'll ask the team to document that more clearer 

    0
    Comment actions Permalink
  • Avatar
    deepak.chand

    Is it possible to have a site to site connection that let's you ping the hostname as well. 

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    I haven’t been able to figure that out yet; is almost feel you need to make a rule though.

    0
    Comment actions Permalink
  • Avatar
    Kyle Vidrine

    Will a firewalla firewall connect to other vendors firewall (That supports IPSEC) for a remote office VPN tunnel, or will it only connect to another firewalla firewall?

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    I've tried figuring it out with SonicWALL, Fortigate, and Azure NSG, however, it won't' work b/c the protocols are not available in the firewalla; I will say that you can probably do it via CLI with a third-party package, but I didn't go that route.  For Azure, I ended up setting up a WireGuard Server and set up a one-way connection.  Hope this helps.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Here is a good link; about a year old though but I think this still stand true today:

     

    https://help.firewalla.com/hc/en-us/community/posts/360048582914-Feature-request-Site-to-site-VPn-with-third-party-device-or-even-cloud

    0
    Comment actions Permalink

Please sign in to leave a comment.