Watchguard Guest Wirelss to VPN Access

I have a Watchguard XTM22-W running 11.9 software.
I need to be able to get some traffic from the Wireless Guest network across a VPN to a server at the other (Main) site.
The server is on the 'Trusted' Interface.

Why you ask - I have a number of "loaner" laptops that really only need access to the Internet, hence they connect to the "Guest" network.
However they run Trend's WFBS for both AV and some Web/URL filtering.
For the Trend client, to get updates to both the AV and the Web/URL Filtering policy changes, they need to connect to the server.
This is accomplished by opening 3 ports.

I know the 3 ports, however I am unsure how to set the watchguard policy to send the traffic from "Guest Wireless Network" Via the VPN.

If I am plugged into the "Trusted" interface on the XTM22-W, then the Trend Client connects to the Trend Server just fine.
If I connect to the Wireless Network 1 (Configured for wireless access to the corporate network) the Trend client connects to the Trend Server.

So the issue is just when the laptop is connected to the Guest network.

I have tried from "Guest Wireless Network" to Trusted along with a couple of other "Networks"
When I view the Traffic Monitor, the traffic Tended for the Trend server goes out the "Outbound" Policy rather than the "Trend Policy" I had defined.


Any ideas would be appreciated.

Thanks
bmcollisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
One of the ways this can be established is by bridging the trusted and wireless guest access, however, doing so would allow ALL traffic between trusted and guest network:
http://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/wireless/wireless_trusted_optional_allow_c.html%3FTocPath%3DFirebox%2520and%2520XTM%2520Wireless%2520Device%2520Setup%7C_____7

If you selectively would only want to allow traffic on specific ports/protocols between specific machines on guest network and trusted network, then you would first need to create alias and then add a policy to allow the traffic:

http://www.watchguard.com/help/docs/wsm/XTM_11/en-US/Content/en-US/policies/alias_create_c.html

http://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/policies/custom_policies_about_c.html%3FTocPath%3DPolicies%7CAbout%2520Custom%2520Policies%7C_____0

Further, once you have allowed access of wireless guest user to trusted network, then you would need to route this traffic over the VPN tunnel [am assuming there is a BOVPN between the main and remote sites], on the existing BOVPN configuration add a security policy to allow traffic to/from the wireless network IP/alias
http://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/bovpn/manual/routes_add_new_c.html%3FTocPath%3DManual%2520Branch%2520Office%2520VPN%2520Tunnels%7CMake%2520Tunnels%2520Between%2520Gateway%2520Endpoints%7C_____2

Please let know if you need more details.

Thank you.
bmcollisAuthor Commented:
Hi dpk_wal

Sorry for the delay on your feed back.

I know about your first point, and have done that for the corporate wireless network.

I was wondering about the BOVPN policy and having to add the Wireless Guest IP range to this policy - makes sense.

As for as the policy between the Guest network and the main network (at the BO), that is were I seem to be having issues.

When I enabled the Guest network on the XTM22-W, it automatically created a "WG-Wireless-Guest"  alias with an rule of
  Policy Name - Allow Hotspot-users
  From             - WG-Wireless-Guest
  To                  - Any-External
  Port               - Any

This policy sits below the default "Outgoing Policy", which is the policy that is used when wireless guests access the internet.  which seems strange, as I would have thought that the Wireless Guest network would not have been a Trusted or Optional network. Hence the need to automatically add the above rule.
 
For reference
  Policy Name - Outgoing
  From             - Any-Trusted, Any-Optional
  To                  - Any-External
  Port               - TCP:0 UDP:0

As I need the Trend Micro traffic to go from the Guest Wireless to the Trusted network, I created a rule;
  Policy Name - Trend WFBS
  From             - WG-Wireless-Guest
  To                  - Trusted
  Port               - 4343 (one of the ports Trend uses to report back to there server)

If I then use the policy checker to go from the Wireless Guest network, using an Destination IP on the Trusted network and the 4343 port, it is denied.

I am wondering if the XTM is not treating the Guest network as the equivalent to an External interface and therefore I need to somehow SNAT across to it - the same as one would do when bring traffic in fro the internet to an internal server.

Thoughts???

Thanks for your help.
dpk_walCommented:
Hi, sorry for a delayed response, was out on vacation.

Not sure if this issues is still prevalent.

Let me understand things; assumption of IP schema and devices:

[172.16.5.100] user1---XTM22-w=====BOVPN=====BO-FW----Trust network [192.168.5.0/24]

user1 connected wirelessly on XTM22-w on IP subnet 172.16.5.100, wants to send traffic over BOVPN to 192.168.5.100 on TCP port 4343.

You have created security policy which permits traffic from 172.16.5.100 to 192.168.5.100 over TCP/4343 [make this policy the first policy in the policy list if needed so it does get hit when the policies are evaluated] on xtm22-w.

Lets say you have existing BOVPN config on XTM22-w, something like below:
GW: external IP of BO firewall [say 1.1.1.1]
Routing policy: trust IP subnet of xtm22-w [say 192.168.10.0/24]<===>192.168.5.0/24
Phase II, you have added GW and routing policy.

In the routing policy add:
wireless IP subnet of xtm22-w [172.16.5.0/24 or specific IP as the case is] <===>192.168.5.0/24

Also, on BOVPN FW, add routing policy reverse of above and a security policy which allows traffic between 172.168.5.x and trust.

Now XTM22-w and BO FW should be able to send receive traffic from/to 172.16.5.x and 192.168.5.x

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.