Configuring BOVPN and directing traffic between two Watchguard Devices

Tom F
Tom F used Ask the Experts™
I have a T70 device I'd like connect up via BOVPN with a XTM2 device (with wireless) at a home office location.  In front of the XTM2 I will have an AT&T uverse router in bridged mode.

I'd like all of the data from one port on the xtm2 to go back and forth over the BOVPN.  I'd like all of the wireless traffic to travel out to the internet.  

Can someone please tell me if this is possible and point me in the right direction for accomplishing this?   I've setup BOVPN's between two devices before but it was moving all traffic between both devices and I need to keep the wireless (home users) traffic off the VPN.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011
Is your home office wired and wireless traffic on the same subnet. I assume if you are trying to use a certain port on the Watchguard for VPN traffic, it must be the gateway for a separate subnet. That said, I assume Watchguard does routed vpn. If so, you'd just route to the remote subnet over the created vpn interface. The firewall rule over the vpn would only allow to source from the subnet attached to the one port on the watchguard and not the subnet for the wireless.

If wireless is on the same subnet as the one port, I don't see how you would filter or prevent wireless devices from using the vpn.
Tom FI.T. and Support Staff Manager


RIght now everything is on the same subnet.  Currently the uVerse router is dishing out wired and wireless access to the home.  

I'm looking to setup a PC and VoIP phone to communicate over the VPN and want everything else going out the the WAN.
Top Expert 2011

Yeah, so basically you will need a separate subnet for the PC and VOIP that you want to traverse the VPN, or worst case, only allow their ip addresses over the tunnel. Routing should be standard. A default route out to your internet and vpn networks over the tunnel interface on the firewall.
Jeremy WeisingerSenior Network Consultant / Engineer

On Watchguard BOVPN, the routing is determined in the Phase 2 (tunnel) settings when you specify the remote and local resources.

You can modify the rule to only allow the IP addresses you specify over the tunnel. You could also move the wireless from the bridged connection to its own interface so that it would be on a separate subnet. But I think the least amount of work for you would be to put in some DHCP reservations on the XTM2 device and then only allow those specific IP addresses by modifying the rule on the T70. (there's tons of ways to accomplish the same thing)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial