• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2375
  • Last Modified:

Watchguard Firebox X550e routing between networks

I have a new client that is a state historical society museum.The Firebox is running Fireware v.9.0, which I know is quite out of date, but I'm a little leery of updating it at this point, since it's a rather old router to begin with. Maybe someone has some advice about that as well as my main question below.  I'm relatively new to working with this hardware, and I'm working with the following configuration:

Network #1 - internal "Trusted" network, subnet
Network #2 - Optional network, subnet
Network #3 - Optional network, subnet

Network #2 contains several workstations in the museum's library that are used by the public to access the Internet and the webservers that are going to be on Network #3.  Network #3 will contain 2 web servers (not yet in use) that house the museum's library catalog and collections databases.

What I'm trying to figure out is how to enable routing between Network #1 and Network #3 so that I can open some ports from the internal, trusted network to the web servers for the purposes of management of the web applications running on those servers and updating data. The data on these two servers needs to be updated on a fairly regular basis. My goal is to be able to open the required ports internally only between Network #1 and Network #3 without exposing them to the Internet.  

I thought that this should be pretty simple by adding filters to specify opening the required ports between the Trusted Network and Optional Network #3. But rather than experimenting using the documentation I have and my own knowledge of routing, I thought I'd check here first to see if someone can give me some easy and direct method that they know will work, and/or confirm that I'm on the right track.
Hypercat (Deb)
Hypercat (Deb)
3 Solutions
Yes, you are on the right track.

First, the version 9 OS can be upgraded to Version 10.  During the upgrade all of the existing rules can be preserved and converted.  Also during the process, you will be prompted to save the configuration file before sending it to the fire box.  I would save it as a different name so that you have the original version 9 configuration in tact if you need to go back to version 9 for any reason.  Once you have converted to version 10, you can apply the patches, and then move on to version 11.

As far as the traffic segmentation, you are also correct.  All you need to do is create rules that allow the respective networks to "talk" to each other, and apply the filter to those rules.  The optional segments can have gateways set to allow them to access (or not) the internet and other resources on both the internal network segments and the internet.

Rules are easily created by making sure that the traffic between networks 1 and 3 are the only networks allowed within the rule, and then create a rule for each type of traffic (web, ftp).

Hope this helps.


Jon SnydermanCommented:
I have little to add here.  msincorp is right and your points are all on target.  Create the interfaces, name them accordingly (for ease of administration) and create specific rules for traffic between them.  The box will easily handle the routing.

As for the upgrade, Im also with msincorp.  Definately do the upgrade.  The x550e will support it and there are many new features.  Just be carefull of two big gotcha's.   First, as msin mentioned, patch v9 to highest available level, go to 10, patch 10 to highest level, then go to latest level of 11.  If you dont skip any steps, all should be fine.  If you do, there will be conversion problems.   Be sure to review the release notes.  They're typically quick reads.  Second, your management station software is MUCH heavier on 11.  Make sure that you check hardware and OS requirements before upgrading.  These can be show-stoppers.   If you are not experienced on v11, lean on EE for that support.  It is worth it.  New web GUI, new web reporting, new application filters, just too much to mention.
By the way, make sure that their maintenance is current or that is a show stopper also.  v9 would run on expired maintenance.  v10+ will not.

Let us know if you need any more specifics but it sounds like you have a good handle on the basic process.  

Hypercat (Deb)Author Commented:
Thanks to you both. I will be working on this next week and will get back and post additional questions and/or award points.

Happy Thanksgiving!
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

A little addition from my side (in addtition to the above recommended updates):

Be sure to configure your DNS properly when adding zones, specially if some of the hosts are not to be available from the outside but are on the same domain name as the external hosts. We've split our network into 5 zones, and had quite a lot of DNS problems in the beginning (internal hosts trying to look up the external address of an "optional-zone" host without an external address etc). Some planning and a few dns forwarders (if there's a dns in each zone) will help a lot.

Good luck!
Hypercat (Deb)Author Commented:
Got everything configured and working with one exception - and it's a doozy, I think... Although I have a workaround in place, as you'll see in my explanation, I'd like to understand better why it works this way and if there is a way to fix it.

The problem I'm having is with routing between the three internal networks.  The objective is to have the Optional 1 network be able to browse to the website that is on the Optional 2 network, using the PUBLIC URL, as explained below.

The details again (some repeated):

Firebox: Public IP range is 173.x.x.74/29; assigned IP is 173.x.x.74. That doesn't make sense to me, but it seems to work and I didn't originally configure this box, so I've left it that way for now.
Trusted Network: 10.10.10.x/24
Optional 1: 10.0.2.x/24
Optional 2: 10.0.3.x/24
    1-to-1 NATed public IP: 173.x.x.75 --->
Website URLs are
    External http://museum.domain.org:8080/website

DNS/AD domain setup:
Firewall DNS servers:, ISP DNS server as secondary,
Trusted Network domain name: local.domain.org, DNS servers and
Optional 1 is a workgroup, no server
Optional 2 domain name: public.domain.org, DNS server (this is also the only machine on this network so far)
Public domain name: domain.org, hosted at Network Solutions which also provides public DNS zone

Rules are:

Allow TCP port 8080 from Any to 173.x.x.75
Allow TCP port 8080 from Any-Trusted or Any-Optional to (this is the workaround part)

On the Optional 1 network, I can resolve the server name museum.domain.org to the correct public IP address. However, when I try to browse the website using that URL, http://museum.domain.org:8080/website, I get "cannot display the webpage" error. I can browse the website using the private IP address: Also, of course, I can browse the website normally from any external host using the public URL.

Can anyone explain why I can't access the website using the external URL instead of the private IP address?
Jon SnydermanCommented:
You are using 1-to-1 NAT which works best in a one ifc-to-one ifc scenario.  You have public and trusted to optional.  This does seem logical, but can be confusing.  I never use 1-to-1 natting at the interface.  It is less flexible and can be problematic and confusing when it comes to policies.

Remove the 1-to-1 nat and change your first rule to "Allow TCP port 8080 from Any to (NATed 173.x.x.75 ->".
Remove your second rull as it should not be needed as you suspected..

Hope that helps.

Jon SnydermanCommented:
Sorry, one other note.  You may need to change your dynamic NAT rules from the default 10.10.10.x-Any-External to 10.10.10.x-Any or just add another dynamic NAT rule for 10.10.10.x-Any-Optional.  I am not sure if this will be needed or not.  Try it without first.

Hypercat (Deb)Author Commented:
Now I remember why I didn't do what you suggest, Jon, in the first place, which is how I would normally do it.  I tried that, but when I go to select the "Add NAT" option, it doesn't allow me to input a different external IP address.  The only options I have are 173.x.x.74 (the static public IP assigned to the firewall), External or Any-External. See screen capture.
Hypercat (Deb)Author Commented:
NEVER MIIINNNDD ;-\ I figured out what I was missing - I didn't realize I had to go in and add those IP addresses on the external configuration as additional addresses to be used on the external interface. I was thinking old-style subnet routing where you have the subnet mask defining the external address range and don't have to do anything more than that.
Jon SnydermanCommented:
Yep, good.  so its working now?

Hypercat (Deb)Author Commented:
Everything's working perfectly now. That last little bit still mystifies me a little, but as long as it works, I'm happy. They've been trying to get this website up and running for over a year, so along with some SQL and web design consulting that we've done, my company is looking like heroes on this one!  Thanks and happy Experts Exchanging.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now