Directing traffic of a Wifi router to a specific external interface on Watchguard XTM330 firewall

Posted on 2013-09-09
Medium Priority
Last Modified: 2013-09-10
Hi guys,

I have the following configuration on my office network:

Network Config
I want to direct all of the outgoing traffic of the wifi router to a specific external interface on the firewall. But the router is connected to a switch which also has all other servers and pc's on the network connected to it.

It is possible to only direct the traffic from the router to that specific external interface without routing all the other hardware connected to the switch?
Question by:ScreenFox
1 Comment
LVL 13

Accepted Solution

Daniel Helgenberger earned 2000 total points
ID: 39475729
What you are looking for is called Policy Based Routing. Your firewall does support this, I think.

You need to configure this in your 'WG Firewall' but the wireless clients need to be identified somehow. And the Public IPs need to be configured as gateway on the firewall. You just say 'connected' - but most certainly you will have a wireless VLAN already?
Here a the basics:
- IF: Internally facing interface / WLAN Subnet
- Source: WLAN Subnet
- Destination: Any
- Port / Proto: Any
- Gateway: your desired gateway
This example should do the trick. This will route all the traffic from your WLAN subnet through one of your gateways. To test it, just set the rule to 'reject'  and then do some traceroutes when you set it to 'pass' - or just disconnect the uplink.

Tip: If the specified gateway is down, WLAN will have no WAN connectivity any more. Better than to set a fixed gateway will be to use a tiered gateway group here.

If you do not have a WLAN subnet then set up one, use your switch to create a VLAN for WLAN or use RADIUS to identify the WLAN clients. RADIUS supports a connection type which lets you identify wireless connections. This setup is much harder to implement though.
My recommendation therefore is to set up WLAN clients in its own subnet and VLAN. You can use your switch (if layer3, better performance) or your filewall (more fine grained access control) to route the traffic to your office subnet; if you do want full access then just set up the rules accordingly. Here I do recommend using the firewall to do the routing, since WLAN traffic may be low anyway and you can control it much better (WLAN is a security risk). But this highly depends on your traffic / number of access points.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This program is used to assist in finding and resolving common problems with wireless connections.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question