Products Firewalla Gold Firewalla Purple Firewalla Blue Plus Firewalla Red Firewalla Blue

Site To Site VPN Behind Existing Firewall

Follow
Avatar
Matthew S. Webb Jr.
  • Edited

I want to be able to easily configure a way for home users to access the network in my office where I already have a Watchguard Firewall.

 

The goal to me is to potentially have a firewalla behind my main Watchguard which would be a VPN Server and nothing else. (I do not need the other features of the Firewalla).

 

Then ideally I would give home users a Red or Blue and have them set it up at home behind their router. To add to this, I don't want to have to see traffic on their LAN at home, so potentially I would have a basic router that would be sitting behind their existing one to segment their LAN from the LAN which the Firewalla would be on. Both corporate laptop and VOIP SIP phone on the secondary LAN. Is this even feasible?

 

As mentioned, I don't want to have to explain the purpose of the Firewalla that might be on a users home LAN and nor do I care about their devices/usage in their network. By putting a firewalla behind a secondary router the hope would be to just be able to see devices on that secondary LAN.

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    James Willhoite

    The WatchGuard allows OpenVPN connections via the SSL vpn. I've tested it and it works, but I was not able to go from the Watchguard back to the Firewalla Gold. I decided to install IKEv2 via StrongSwan on my Firewalla and have it VPN into the WatchGuard at work. I can see all devices at work, but have not had the time to mess with Work -> Firewalla Gold. This is a Production Firewall that is the central hub for 2 other branches and about 30 other Remote VPN users so It can't go down because I'm messing around with it. You should be able to do it with OpenVPN but if not, then IKEv2 would work with some testing.

    0
    Comment actions Permalink
  • Avatar
    Matthew S. Webb Jr.

    Here is what I have done so far...

    Main Office LAN (Watchguard): 10.10.10.x/23 / SNAT to Firewalla Blue+ for VPN

    Office Firewalla Blue+ (On Main VLAN) : LAN 10.10.10.150 / Overlay 192.168.100.1 / Limited Mode

    OPENVPN Network (On Firewalla Blue+): 10.102.90.1/24

    Remote Firewalla Red: LAN 192.168.99.1 / Overlay 192.168.200.1 / DHCP Mode

    I have the Blue+ set up as the Site-To-Site VPN Server and I can connect from the Red just fine when I assign clients to the VPN. However, I have one HUGE issue that I can't figure out. 

    I have a Polycom SIP Phone that is able to register to the SIP Server, but the calls are failing to go through. I have struggled getting SIP to work over SNAT on the Watchguard in the past and the only way it has worked is through the BOVPN Site-To-Site in Watchguard. 

    I feel like I am on the cusp of this working as the VOIP Phone is a deal breaker if I can't get it working. 

    Any ideas on what might be causing the calls to fail? 

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    I use MXIE/Zulty phone for work. I’m using IKEv2 for my connection to work though. But I have it set up that ANY traffic destined for my work LAN is routed to my IKEv2 VPN (via SNAT) and all seems to work.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post