Watchguard Firebox II routes from trusted network

Posted on 2007-10-12
Medium Priority
Last Modified: 2013-11-16
Hello.  We have two sites connected via VPN.  The remote network is and the local network is  They are connected via VPN router and connectivity is good.  There is a WatchGuard Firebox II firewall on the Gateway from the 172 Optional network with a Route set up pointing all traffic destined for the network to the VPN router on  All is good so far.
What we wish to do is access the network from the Trusted network ( in the same way, ie. over the same VPN, but the route only applies on the following Firebox port - i.e. the Optional network

eth2 gateway to network netmask

How can I set up a static route that forwards all packets from the trusted network to the router on the optional network?

Many thanks in advance
Pete Walker
Question by:pete9mm
  • 3
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 20079808
You already must have a network route for with as gateway, I think this should also take care of your network traffic destined for; the only thing is: all the traffic from optional interface destined for trusted interface is prevented by default. So adding a specific service or ANY service should get the traffic to flow. Configure the service as below:
Outgoing Allow From: to: and
Incoming Allow From: to:

Please implement and udpate.

Thank you.

Author Comment

ID: 20080171
Thank you for your comments dpk_wal.  Unfortunately, adding this Any rule has not helped.  

The monitor shows this when a ping to is executed:  10/15/07 18:22  firewalld[356]:  allow out eth1 60 icmp 20 128 8 0 (Any-BH)

This may not be relevant, but when tracing the route from the 172 network, and with the Firebox as the gateway, its IP address doesn't show up on the trace, whereas the first hop on the failed trace from the 192 network does show up on the trace.
Additional info:  The VPN router on the 172 network ( has a static route set to use (the optional Firebox interface) as the gateway for all traffic destined to the 192 network.  The metric is set to 2 and I wanted to check that this is OK.

Thank you
LVL 32

Expert Comment

ID: 20083429
On the router use the router IP instead of FB optional interface IP as gateway for network.

Also, in the ANY rule add network in addition to network and check results.

Please update.
LVL 32

Expert Comment

ID: 25778801
Solution was provided but user comment was needed to check if that worked.

Thank you.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question