Avatar of Daniel Bertolone
Daniel Bertolone
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Watchguard XTM 330 & SBS 2008 Network

I have a client running an SBS 2008 network connected via Draytek adsl router / firewall.

Now the client has recently had installed a fibre link with managed cisco router & wants to implement the WatchGuard as their firewall.

Now I have never setup a Watchguard before so apologies if the questions are basic...

I have configured the WatchGuard using my laptop and gave given the WatchGuard the internal address of, the reason for me choosing this address is that currently the default gateway in the SBS environment is set to 253 so I thought to keep things simple I could set the WatchGuard’s internal IP the same as existing default gateway which would mean come switchover time I would not have to change anything on the SBS server as its still pointing to the same address for its gateway, am I correct in thinking this ?

I have configured the WatchGuard with the gateway & external IP provided by the new isp and I can gain access to the internet via my laptop as long as I configure the LAN card to be on the same subnet as the WatchGuard, however my laptop will only connect to the internet if I enter an external dns address such as, if I enter the internal ip of the WatchGuard on the dns settings then I am unable to access the net.

Basically I am trying to replicate the sbs environment on my laptop before the switch over and just wanted to know why the laptop needs an external dns address, I thought by pointing the dns server on my laptop at the WatchGuard’s internal ip then it would  receive its DNS from the Watchguard?

Also any tips on how to open portrs on the firewall for smtp & rdp
Hardware FirewallsWindows NetworkingSBS

Avatar of undefined
Last Comment
Daniel Bertolone

8/22/2022 - Mon
David Atkin


Have you set the DNS up on the WatchGuard?  Thats probably why you wont be able to use it as a DNS Server. Set the Watchguards DNS to your ISP's DNS Server or google Public DNS. This shouldn't matter to the SBS though as it will have its own forwarders configured.

Keeping the IP Address of the Watchguard is a good idea. You should be able to just switch it over without a problem to the Internet Access.

As for the ports on the router, I suggest you copy the existing port mappings from the existing router.  By default you should have ports 25, 80, 443 and 987 forwarded to the SBS.

Also, if you are recieving mail via the SBS you will need to think about MX records for your domain, prior to the move to the new connection.

I would do the change on a night - Outside of working hours to make sure it goes across ok.

Daniel Bertolone

WatchGuard DNSThanks for your reply..

I did think that in terms of the dns but even with an external dns server entered into the WatchGuard I still have to manually enter an external dns server via the lan card on my laptop otherwise he laptop cannot get onto the net.

Does DHCP have to be enabled in order for the WatchGuard to act as the dns server??

Also when trying to create port mappings on the WatchGuard I am not sure how to point the port to the internal ip of the server... Any tips?
David Atkin

I'm presuming the Server is on - You dont want this as a DNS Server in your router.  It will try and make external lookups to your SBS and will probably loop.   Remove the local Server from the DNS List and add as a second DNS Server.

No DHCP does not have to be enabled.  The router can be used for DNS requests without DHCP being enabled.  It will look at its ARP table for local DNS lookups and will forward external ones to google.

Can you give us a screen shot of the NATting on the WatchGuard?  I will see if I can help.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Daniel Bertolone

Nat SetupFirewall SetupThanks for the reply, i have since spoken with WatchGuard technical and have attached some screens of the firewall policies we setup.

Now we have purchased live security so would like to use the web blocker, gateway AV & anti-spam, in this case would I need to route all of my traffic via a proxy for this to work.

Let me know your thoughts
Daniel Bertolone

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Daniel Bertolone

Resolved the issue by contacting WatchGuard Technical support