Watchguard Firebox II routes from trusted network

Posted on 2007-10-12
Last Modified: 2013-11-16
Hello.  We have two sites connected via VPN.  The remote network is and the local network is  They are connected via VPN router and connectivity is good.  There is a WatchGuard Firebox II firewall on the Gateway from the 172 Optional network with a Route set up pointing all traffic destined for the network to the VPN router on  All is good so far.
What we wish to do is access the network from the Trusted network ( in the same way, ie. over the same VPN, but the route only applies on the following Firebox port - i.e. the Optional network

eth2 gateway to network netmask

How can I set up a static route that forwards all packets from the trusted network to the router on the optional network?

Many thanks in advance
Pete Walker
Question by:pete9mm
    LVL 32

    Accepted Solution

    You already must have a network route for with as gateway, I think this should also take care of your network traffic destined for; the only thing is: all the traffic from optional interface destined for trusted interface is prevented by default. So adding a specific service or ANY service should get the traffic to flow. Configure the service as below:
    Outgoing Allow From: to: and
    Incoming Allow From: to:

    Please implement and udpate.

    Thank you.

    Author Comment

    Thank you for your comments dpk_wal.  Unfortunately, adding this Any rule has not helped.  

    The monitor shows this when a ping to is executed:  10/15/07 18:22  firewalld[356]:  allow out eth1 60 icmp 20 128 8 0 (Any-BH)

    This may not be relevant, but when tracing the route from the 172 network, and with the Firebox as the gateway, its IP address doesn't show up on the trace, whereas the first hop on the failed trace from the 192 network does show up on the trace.
    Additional info:  The VPN router on the 172 network ( has a static route set to use (the optional Firebox interface) as the gateway for all traffic destined to the 192 network.  The metric is set to 2 and I wanted to check that this is OK.

    Thank you
    LVL 32

    Expert Comment

    On the router use the router IP instead of FB optional interface IP as gateway for network.

    Also, in the ANY rule add network in addition to network and check results.

    Please update.
    LVL 32

    Expert Comment

    Solution was provided but user comment was needed to check if that worked.

    Thank you.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
    Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now