0

Summary

I'm trying to figure out what Firewall Policy I need to create to allow VPN connection traffic through my Watchguard firewall.

Description

I'm really struggling to figure out how to create a Site-to-site VPN connection between my Azure VNet and our office subnet.

I've created the VNet, gateways, etc .. as described in this tutorial here. So lets just assume that I've got that right.

Now, I need to make sure it can access my office subnet which has a Unifi 24 port Switch + Switch-Controller-software which includes some smarts to join/handle the VPN site-to-site connection.

Only problem is, I have a Watchguard Firebox firewall device in between our Fibre internet connection and my office subnet.

I know there's another blog post which explains how to use the Watchguard Firebox as the VPN terminator.

I'm hoping to just forward all VPN traffic through the firebox to my subnet and let my Unifi Controller software handle all of that.

Does anyone have any experience with this sort of thing and can suggest some Policy I need to create to handle this?

Here's a sample picture of our network setup:

enter image description here

So what I thought I had to do was this:

  • Create a policy for the Azure VPN Public IP Address (aa.bb.cc.22) in the firewall and push that traffic down to my office subnet (Subnet3). [REFER TO POLICY #17 in this picture]

enter image description here

So - can anyone help?

I can't even see any traffic from Azure VPN trying to hit us. Honestly, I'm not tooo sure what to even check in the watchguard software to see if any traffic is hitting us and then getting handled or rejected by the firewall.

Can anyone please help?

Pure.Krome
  • 6,508
  • 18
  • 73
  • 87

1 Answers1

1

I suspect that your BOVPN policies (14 and 15) will be picking up any IPSec traffic from Azure before rule 17 is hit. Try turning on manual order mode and moving it up the list (this is a lot easier in WSM than using the web interface).

I've never tried to do it this way though - I've got my WatchGuard Firebox T70 talking to an Azure S2S VPN with no problems, but the Firebox is the endpoint. Is there a reason you're wanting to use the Ubiquiti gear instead of your WatchGuard?

arjoll
  • 11
  • 5
  • Hi @arjoll and welcome to SO :) There's no _real_ tech reason why I'm trying to use the Ubuiquiti instead of the WG. Inside our office, I have access/control of our office hardware which is _after_ the WG so I thought it could be easier if I can just get a passthrough happening. – Pure.Krome Jan 29 '20 at 21:02
  • That makes sense. In that case, move rule 17 up above rule 14. What is the "to" in that rule? It'll need to be SNAT, and I'm not sure what impact that will have on VPN traffic. So try Any from Azure to SNAT (WAN port of the Uniquiti). Any from Ubiquiti to Azure. – arjoll Jan 30 '20 at 03:41