Firewalla Site to Site VPN

Follow

Comments

21 comments

  • Avatar
    Gareth Sargeant

    This sentence :

    "A site to Site VPN setup requires 2 Firewalla boxes at each site."

    should be: 

    "A site to Site VPN setup requires 2 Firewalla boxes, one at each site."

    Correct?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Gareth, Yes, you are right. Corrected. Thanks! 

    0
    Comment actions Permalink
  • Avatar
    atif.ahmad

    I tried setting up site to site with my friend. We share work but do not have same domain etc. 

    ‘’both me and my friend are running fw gold. 
    ‘why do we have to have both firewalls on same account. 

    1
    Comment actions Permalink
  • Avatar
    Schwickert

    Given that the subnets need to be different, for clients and server, how do the subnet masks be set on both sides to make that work?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    As long as the subnet for the client and servers do not overlap, it should be fine. 

    0
    Comment actions Permalink
  • Avatar
    Nathan Thee

    In the example above, having multi-site VPN, will rules also need to be created to allow those subnets at the two client sites? I'm unable to route all internet traffic through the VPN due to asymmetrical bandwidth, so I setup static routes. I'm unable to reach any devices from the two site-to-site VPN clients.

    Any advice would be appreciated.

    I have FWG at "headquarters" and a FWG and FWP for the two clients.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Nathan, 

    Did you ever get an update on this or figure it out?  I have 2 Golds and 1 Gold Plus and I don't want to route all my traffic out of the headquarters.  Defeats the purpose imo.

    0
    Comment actions Permalink
  • Avatar
    Nathan Thee

    Ryan H.,

    I have not received a response. I agree it defeats the purpose. If we all had synchronous Internet connections it wouldn't be a big deal. A majority of the population does not have the luxury.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Figured this out after going through the forums for an hour.  They should add this configuration on this page, but this does work:

    Problem resolved.
    Remove yourself from the VPN Client and add all your "remote" subnets through the Routes.

    VPN Client config
    * Remove the Group or computers from the "Apply To" in the VPN Client.
    * Select VPN for the Internet Outbound Policy

    Routes config
    * Add all the subnets on the server side you need to reach, including the peer site subnets listed in the VPN Client
    * Point the interface for these routes to the VPN client

     

     

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Nathan, if you need help let me know, I'd be happy to jump on a zoom; it was frustrating to say the least. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The common / issue and fixes section has an image of the configuration that will allow one side firewall to be turned off. I'll ask the team to document that more clearer 

    0
    Comment actions Permalink
  • Avatar
    deepak.chand

    Is it possible to have a site to site connection that let's you ping the hostname as well. 

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    I haven’t been able to figure that out yet; is almost feel you need to make a rule though.

    0
    Comment actions Permalink
  • Avatar
    Kyle Vidrine

    Will a firewalla firewall connect to other vendors firewall (That supports IPSEC) for a remote office VPN tunnel, or will it only connect to another firewalla firewall?

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    I've tried figuring it out with SonicWALL, Fortigate, and Azure NSG, however, it won't' work b/c the protocols are not available in the firewalla; I will say that you can probably do it via CLI with a third-party package, but I didn't go that route.  For Azure, I ended up setting up a WireGuard Server and set up a one-way connection.  Hope this helps.

    0
    Comment actions Permalink
  • Avatar
    Ryan Hendrickson

    Here is a good link; about a year old though but I think this still stand true today:

     

    https://help.firewalla.com/hc/en-us/community/posts/360048582914-Feature-request-Site-to-site-VPn-with-third-party-device-or-even-cloud

    0
    Comment actions Permalink
  • Avatar
    Mark Schultheis

    I have a gold device on server side and need to setup a client side network with 2 clients for 10 Mbps throughput. What Firewalla should I purchase for client side?

    0
    Comment actions Permalink
  • Avatar
    Andrew Mogilyansky

    I want to set up a site-to-site VPN between two sites. At both locations I have Verizon FIOS residential service with dynamic public IPs which change about once a month at each location.

    Can I set up a site-to-site VPN using a Firewalla Gold Plus box at each of these 2 sites? I would love for the VPN to automatically reconnect when an IP of the main location changes.

    To the extent this is not possible, is there at least a way for the client site to reconnect by simply restarting the Firewalla client device (and it would auto-discover the new IP of the main site using its DDNS web name rather than having to manually re-enter the new public IP address)?

    Thanks in advance.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    They will reconnect even if IP changes. (Firewalla uses DDNS)

     

    0
    Comment actions Permalink
  • Avatar
    Andrew Mogilyansky

    I plan to run Firewalla Gold Plus in bridge mode at both sites [CLOUD] => [VERIZON FIOS ROUTER] => [FIREWALLA IN BRIDGE MODE] => [SWITCH] => [WIRED LAN PCs].

    If I open the appropriate ports on the FiOS router and direct them to the Firewalla device, will site-to-site VPN work even though the device is running in bridge mode? 

    0
    Comment actions Permalink
  • Avatar
    PejmanK

    hi,

    I successfully setup my site-to-site vpn between my firewalla gold and purple. 

    purple is the server and gold is the client. now I need to send all internet traffic for the devices connected to my purple to go through my firewalla gold. in the route section I don't see my vpn tunnel. if I try to do the same on the gold I can see my vpn tunnel in the route section.

    I can't make the vpn tunnel to connect if I initiate if from purple to gold since connecting to VPN is blocked in the country where the purple is. any suggestions? 

     

    Gold (client)(Site A)<-------tunnel----->Purple(server)(Site B)
    Protocol: Wireguard.

    issue: route all internet traffics from the clients in Site B (purple) to go through tunnel to the gold and use the internet connection at site A where the gold is connected. 

    0
    Comment actions Permalink

Please sign in to leave a comment.