Directing traffic of a Wifi router to a specific external interface on Watchguard XTM330 firewall

Hi guys,

I have the following configuration on my office network:

Network Config
I want to direct all of the outgoing traffic of the wifi router to a specific external interface on the firewall. But the router is connected to a switch which also has all other servers and pc's on the network connected to it.

It is possible to only direct the traffic from the router to that specific external interface without routing all the other hardware connected to the switch?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
What you are looking for is called Policy Based Routing. Your firewall does support this, I think.

You need to configure this in your 'WG Firewall' but the wireless clients need to be identified somehow. And the Public IPs need to be configured as gateway on the firewall. You just say 'connected' - but most certainly you will have a wireless VLAN already?
Here a the basics:
- IF: Internally facing interface / WLAN Subnet
- Source: WLAN Subnet
- Destination: Any
- Port / Proto: Any
- Gateway: your desired gateway
This example should do the trick. This will route all the traffic from your WLAN subnet through one of your gateways. To test it, just set the rule to 'reject'  and then do some traceroutes when you set it to 'pass' - or just disconnect the uplink.

Tip: If the specified gateway is down, WLAN will have no WAN connectivity any more. Better than to set a fixed gateway will be to use a tiered gateway group here.

If you do not have a WLAN subnet then set up one, use your switch to create a VLAN for WLAN or use RADIUS to identify the WLAN clients. RADIUS supports a connection type which lets you identify wireless connections. This setup is much harder to implement though.
My recommendation therefore is to set up WLAN clients in its own subnet and VLAN. You can use your switch (if layer3, better performance) or your filewall (more fine grained access control) to route the traffic to your office subnet; if you do want full access then just set up the rules accordingly. Here I do recommend using the firewall to do the routing, since WLAN traffic may be low anyway and you can control it much better (WLAN is a security risk). But this highly depends on your traffic / number of access points.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.