Link to home
Create AccountLog in
Avatar of Daniel Bertolone
Daniel BertoloneFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Watchguard XTM 330 & SBS 2008 Network

I have a client running an SBS 2008 network connected via Draytek adsl router / firewall.

Now the client has recently had installed a fibre link with managed cisco router & wants to implement the WatchGuard as their firewall.

Now I have never setup a Watchguard before so apologies if the questions are basic...

I have configured the WatchGuard using my laptop and gave given the WatchGuard the internal address of, the reason for me choosing this address is that currently the default gateway in the SBS environment is set to 253 so I thought to keep things simple I could set the WatchGuard’s internal IP the same as existing default gateway which would mean come switchover time I would not have to change anything on the SBS server as its still pointing to the same address for its gateway, am I correct in thinking this ?

I have configured the WatchGuard with the gateway & external IP provided by the new isp and I can gain access to the internet via my laptop as long as I configure the LAN card to be on the same subnet as the WatchGuard, however my laptop will only connect to the internet if I enter an external dns address such as, if I enter the internal ip of the WatchGuard on the dns settings then I am unable to access the net.

Basically I am trying to replicate the sbs environment on my laptop before the switch over and just wanted to know why the laptop needs an external dns address, I thought by pointing the dns server on my laptop at the WatchGuard’s internal ip then it would  receive its DNS from the Watchguard?

Also any tips on how to open portrs on the firewall for smtp & rdp
Avatar of David Atkin
David Atkin
Flag of United Kingdom of Great Britain and Northern Ireland image


Have you set the DNS up on the WatchGuard?  Thats probably why you wont be able to use it as a DNS Server. Set the Watchguards DNS to your ISP's DNS Server or google Public DNS. This shouldn't matter to the SBS though as it will have its own forwarders configured.

Keeping the IP Address of the Watchguard is a good idea. You should be able to just switch it over without a problem to the Internet Access.

As for the ports on the router, I suggest you copy the existing port mappings from the existing router.  By default you should have ports 25, 80, 443 and 987 forwarded to the SBS.

Also, if you are recieving mail via the SBS you will need to think about MX records for your domain, prior to the move to the new connection.

I would do the change on a night - Outside of working hours to make sure it goes across ok.

Avatar of Daniel Bertolone


User generated imageThanks for your reply..

I did think that in terms of the dns but even with an external dns server entered into the WatchGuard I still have to manually enter an external dns server via the lan card on my laptop otherwise he laptop cannot get onto the net.

Does DHCP have to be enabled in order for the WatchGuard to act as the dns server??

Also when trying to create port mappings on the WatchGuard I am not sure how to point the port to the internal ip of the server... Any tips?
I'm presuming the Server is on - You dont want this as a DNS Server in your router.  It will try and make external lookups to your SBS and will probably loop.   Remove the local Server from the DNS List and add as a second DNS Server.

No DHCP does not have to be enabled.  The router can be used for DNS requests without DHCP being enabled.  It will look at its ARP table for local DNS lookups and will forward external ones to google.

Can you give us a screen shot of the NATting on the WatchGuard?  I will see if I can help.
User generated imageUser generated imageThanks for the reply, i have since spoken with WatchGuard technical and have attached some screens of the firewall policies we setup.

Now we have purchased live security so would like to use the web blocker, gateway AV & anti-spam, in this case would I need to route all of my traffic via a proxy for this to work.

Let me know your thoughts
Avatar of Daniel Bertolone
Daniel Bertolone
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Resolved the issue by contacting WatchGuard Technical support