Watchguard with Multiple wan connections

Im very new to Watchguard.... Ive only dealt with sonicwall and this is super easy to do

There are 2 wan connections...

Int 0 is a 25/5 TWC cable connection
Int 4 is a 5/5 Fiber connection

Currently all the phones are connected to 10.0.5.x wired
and the wifi clients get

however wired or wireless they all seem to go through the fiber connection

How do i force the wireless connections to use the INT 0 and the wired connections to use the INT 4??

The model number of the box is an XTM-25W
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
On the router when you set up the wireless interface, you can enable it to connect automatically to one of the other networks that is set up, including an external interface.  So, if you have your wired network as the "Trusted" network, and then you have two external networks, one connected to the cable connection and one to the fiber connection, you should be able to specify that the wireless network connects automatically to the fiber network.  

OTOH, if you're using a wireless network that is not internal to the Watchguard router, you could simply set up an optional network on the router  and then connect the wireless network to the router's designated optional network port. Then you would use policies to direct the incoming and outgoing traffic from that interface to the external connection that you want to use.

The key to doing this is a combination of the network configurations and the policies that you put in place on the Watchguard firewall.  Perhaps if you posted some screen captures showing your network configuration, your wireless configuration, and your policies, I could be a bit more specific.
Have a look at link below:

Create two policy, can be Outbound or specific policy.

Configure policy 1 as:
from: [or the internal alias as applicable]
make sure external interface selected under policy-based routing is int0

Configure policy 2 as:
from: [or the internal alias as applicable]
make sure external interface selected under policy-based routing is int4

Read all the restrictions as multi-WAN should be enabled and other as in the link.

Please implement and update.

Thank you.
punkrawkdude99Author Commented:
i havent been back to that client yet... i will be there on thursday and i will add some pics of the current configuration... thanks for both options....

i dont know watchguard well at all
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

punkrawkdude99Author Commented:
Hypercat (Deb)Commented:
Hi, punkrawkdude99.  The reason your screen shots look different from the link is that you're using the Web UI instead of the Watchguard System Manager.  It's just 2 different ways to do the same things.  Some of us who've been working with Watchguard for a while still prefer the older interface (the System Manager) because in general it's a bit faster and we're used to it!  At first glance, I think the problem may be that the 2 networks (the Trusted network and the wireless network) are bridged, but I'll take a closer look at your screen captures and see if I can noodle out what's happening.
punkrawkdude99Author Commented:
I believe that to be an issue as well..  

I didn't want to Unbridge to test as they were having a meeting with some pretty higher ups yesterday

There is an option to create other wireless networks..  I created one as trusted but then just got tied up with other stuff after that
Hypercat (Deb)Commented:
OK - here's the explanation of what the bridge does, from the Watchguard documentation:    

<<About LAN Bridges

A local area network bridge logically combines multiple interfaces to operate as a single network, with a single interface name and IP address. You configure the interface IP address and other interface settings in the bridge configuration, and then configure interfaces as members of the bridge. A bridge must include at least one interface, and can include any combination of physical, wireless, and link aggregation interfaces.

You can configure a bridge in the trusted, optional, or custom security zone. The configuration settings for a bridge are similar to the settings for any other trusted, optional, or custom network interface. For example, you can configure DHCP to give IP addresses to clients on a bridge, or use the bridge name as an alias in firewall policies.

To use a bridge, you must:
1.Create a Network Bridge Configuration.
2.Assign a Network Interface to a Bridge.

If you want all of the Firebox or XTM device interfaces to be on the same network, we recommend that you use bridge mode for your network configuration.>>

So, that explains why  you're seeing all of the communication from the wireless network going through the same interface as the wired connections, because they're bridged together.

Before we look at removing the bridge, please take another screen capture of the firewall policies, similar to the one below from one of my networks.  Please make sure to expand the From, To and Port columns (which I didn't do) so that we can see all the settings in those columns:

Web UI Firewall Policies view
punkrawkdude99Author Commented:
I think I attached the fw policy...  It's really basic

Pretty much allows everything outbound and ping as well
Hypercat (Deb)Commented:
Ok - here's what I recommend:

1.  Make a BACKUP of the current configuration on the Watchguard, just in case.  
2.  Remove the LAN bridge and the bridged wireless network.
3.  Create a new network for the wireless network connection, making it an Optional network and using the same IP configuration. You'd do this from the Network/Interfaces page. Click the Optional network interface that corresponds to the physical interface on the Firebox where the wireless network is connected.  Then click Configure to set it up with the correct IP range, etc. IF, however, the wireless network is set up using the Firebox's internal wireless capabilities, rather than creating an Optional network, you'd need to go to the Wireless network settings and make some changes there.  Let me know if this is the case.
4.  Edit the existing Outgoing policy so that the "To" is "External TWC Fiber" and the "From" is "Trusted."
5.  Create a new Outgoing policy (i.e., "Outgoing-Wireless") using the "External 25 MB TWC Cable" as the "To" and the Optional (i.e., wireless) network as the "From."

Of course, you'll need to do this at a time when you can test the new configuration without interfering with user access to any resources they need either internally or externally.
punkrawkdude99Author Commented:
Man something went terribly wrong....

i think part of the problem is the TWC cable connect was setup wrong
punkrawkdude99Author Commented:
okay so i messed with a bunch of crap.... now everything seems to go out the fiber interface and nothing goes out the twc cable one

the twc cable interface is dhcp  :( not sure the firebox will play well with that

before wireless would get a 192.168.0.x address....

now the cable modem is giving out that address

so i moved wireless to

at this point wireless and cabled both get addresses

the second wireless network does get a address but doesnt route anywhere
Hypercat (Deb)Commented:
The wireless interface type is "Optional," which would essentially create a bridge to an optional interface, but there is no optional interface enabled on one of the 4 Firebox interfaces.  You need to re-enable the Firebox interface 1, configure it as an Optional interface using the network, and enable the DHCP server for that network, and then the wireless interface will connect to it.  IOW, the wireless interface has to have a physical port on the Firebox to connect to, even though the connection is wireless rather than physical. You will need to give the wireless interface a different IP address, say, and then the Optional network can take over  For the DHCP range, you want to exclude those two addresses so that only and above can be used by other devices on that network.

At that point, your policy directing outgoing traffic from Any-Optional to the cable connection should take effect.  BTW, you should have your policies in order so that the priority policies are at the top. That is, the two "Outgoing" policies should probably be at the top of the list.
Hypercat (Deb)Commented:
Also - when you say the TWC cable interface is DHCP, do you mean that it's configured to assign private IP addresses to internal devices?  Also, I forgot to say specifically - you need to have DHCP enabled only on either the Optional or the Wireless side of the network, not both...Now that I think about it, it's probably better to have it enabled on the Wireless interface rather than the Optional one, since the wireless devices (I assume workstations) will be connecting to that first.
punkrawkdude99Author Commented:
Yeah the two cable modem is also acting like a nat device itself

So it's giving the firewall essentially a 192.168.0 address

Eth1 was set to bridge so you want me to set that as opt and to give out Dhcp but not to bridge to connect between wireless to the eth0?
punkrawkdude99Author Commented:
okay so i have it to the point where i can only get it to route out one gateway.... im not sure why but when i enable the fw policy to send optional outbound through the twc cable gateway it just stops

i have to go to the other outbound policy and add optional to it for the internet to work over wireless

i was able to switch the TWC cable modem into pass through so now its just acting like a modem and getting a public ip
punkrawkdude99Author Commented:
okay so after messing with it all day i finally got a few things as an outcome

1. eth0 is now in pass through mode and has a public ip'
2. both wireless networks work however do different things

wireless network1 aka onyx 2.4 is set to give out ip addresses in the 192.168.0.x range but gives out ips in the 10.0.5.x range and continues to go out through the fiber 5meg gateway

wireless network2 aka onyx2 is giving out ips of 192.168.99x and routes out the twc 50meg gateway

i dunno wth to do next :/
punkrawkdude99Author Commented:
a little more in depth

I figured out how to route some of the traffic out of different gateways

i have 2 external interfaces
int0 50/10mb cable and
int4 5/5mb fiber

i have one wired interface
int3 10.0.5.x

i have two wireless interfaces
ath1 192.160.0.x and
ath2 192.168.99.x
both set to optional

i have 2 firewall policies
1. any traffic from 10.0.5.x network goes out the fiber connection
2. any traffic out of either ath1 or ath2 goes out the TWC cable connection

so far everything is all 10.0.5.x traffic goes out the fiber connection
all 10.0.99.x wireless2 traffic goes out the twc cable connection

the one issue is ath1 seems to pick up dhcp from 10.0.5.x instead of 192.168.0.x
it also sends traffic out of the wrong gateway
Hypercat (Deb)Commented:
Good work!  Let me take a look at your latest screen caps and I'll get back with any thoughts and ideas.
Hypercat (Deb)Commented:
How are the devices that are using ath1 getting their IP addresses?  It looks like they're being assigned addresses by the DHCP server on the Trusted network (Phone GW) rather than getting them from either the ath1 wireless network itself with DHCP server configured or a configured Optional network with ath1 bridged to that network.
punkrawkdude99Author Commented:
There is no bridge network...  

I can't seem to figure out why ath2 works properly and ath1 doesn't..

They are both set as optional and both setup with Dhcp servers..  

I guess I can just disable the wireless on ath1 and set leave ath2 on and change the name and network name and Dhcp scope the same as ath1 was...  Since it works properly
Hypercat (Deb)Commented:
You could certainly try that!  One thing that could be operating here is that ath1 was originally bridged to the Trusted (10.0.5.x) network.  So, there may still be some setting in the properties of ath1 that's maintaining that connection - check it carefully.  Make sure that all changes you've made have been saved too, of course.  You also might try restarting the Watchguard firewall to see if that corrects the problem. Or as I suggested above, reconfigure the eth1 network as an Optional network in the 192.168.0.x network and bridge ath1 to eth1.
punkrawkdude99Author Commented:
Okay i see WTH happened

Customer had another router in the ceiling setup as an Access point of sorts i guess.....

It spaced out and started acting like a router and started giving out IP's on the wrong network.... that was a separate issue

The issue with routing out another gateway was actually rather simple

You dont need a bridge or anything like that actually

You just need to create 1 2 or 3 wireless networks and label them as optional

You need to create a firewall rule and say from = any optional to = any external
Then you use policy based routing down below to control which interface it exits on

You then create a second rule for the cabled network saying from = any trusted and to = any external
Then you use policy based routing to decide which external interface it exits on

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
punkrawkdude99Author Commented:
Its the actual solution.....

No one picked up in the screenshots that to needed to be any external and not the direct external interface
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.