Environment: A company network has a Firebox M-series appliance with Total Security Suite at headquarters. Every branch office has a smaller T-series Firebox without subscription services. For this reason, all traffic from the branch offices is routed through the M-series appliance at headquarters. Some of the branch office Fireboxes has a static IP, some obtains it via DHCP.
Occasionally there might be some problems with the tunnel (for example if the HQ network is down). Therefore, the branch office Fireboxes need to be able to abandon the 0.0.0.0/0 route through the tunnel and work standalone for a while, since BO Internet connectivity is crucial for the business. This works with BO Virtual Interface, but not with 0.0.0.0/0 over BO GW & Tunnel.
Simplified (just one External and Trusted if) related configuration, a branch office with DHCP.
- Firebox-HQ (
10.9.0.1) - M670 [Fireware OS v12.2.1.B572649]- Interfaces (Routed Mode)
eth0: ISP1 [External] -198.51.100.123/24(Static)eth1: Trusted [Trusted] -10.9.0.1/24
- VPN Interface (
bvpn20): BovpnVif.BO20 [IKEv1]- Route to
10.9.20.0/24
- Route to
- Interfaces (Routed Mode)
- Firebox-BO20 (
10.9.20.1) - T55 [Fireware OS v12.2.1.B572649]- Interfaces (Routed Mode)
- DNS Servers:
192.0.2.10&192.0.2.20(ISP2's DNS servers) eth0: ISP2 [External] -203.0.113.33/24(DHCP)eth1: Trusted [Trusted] -10.9.20.1/24
- DNS Servers:
- VPN Interface (
bvpn1): BovpnVif.HQ [IKEv1]- Route to
0.0.0.0/0 - VPN Settings: [x] Remove VPN routes when the tunnel for a BOVPN vif is down.
- Route to
- Interfaces (Routed Mode)
Everything works just as expected when the tunnel is down. The Firebox-BO20 can work as a DNS resolver for its eth1 network. Both 10.9.20.0/24 and Firebox itself can access the Internet.
Problem: When the tunnel is up and the 0.0.0.0/0 route through bvpn1 is added, the clients on eth1 can access the Internet through the VPN and all the resources (incl. DNS servers) at the HQ.
IPv4 Routes
------------
Destination Gateway Genmask Flags Metric Interface
0.0.0.0 0.0.0.0 0.0.0.0 U 1 bvpn1
0.0.0.0 203.0.113.1 0.0.0.0 UG 5 eth0
10.9.20.0 0.0.0.0 255.255.255.0 U 0 eth1
203.0.113.0 0.0.0.0 255.255.255.0 U 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
However, Firebox stops working as a DNS resolver and loses its own Internet connectivity. This is due to the fact that Firebox own connections starts to use the route, too.
- The ISP2's DNS servers
192.0.2.10&192.0.2.20aren't accessible from ISP1. - The devices on network
10.9.20.0/24can access the Internet throughbvpn1. - Firebox doesn't use its internal IP
10.9.20.1through the tunnel, but203.0.113.33. - The Firewall rule
Any From Firebox-00is hard-coded and doesn't show up in Policy Manager. Otherwise it would have been easy to force it to useeth0with<policy-routing>.
There are firewall policies to allow all the necessary traffic on both appliances; the problem is therefore delimited to the routing, alone.
For the ISP2's DNS servers you need to add static routes to Firebox-BO20.
192.0.2.10, gateway203.0.113.1metric0.192.0.2.20, gateway203.0.113.1metric0.After saving the settings to Firebox, the route table with tunnel connected looks like this:
Another option is to use public DNS servers (like Cloudflare's
1.1.1.1/1.0.0.1or Google's8.8.8.8/8.8.4.4) that works on both ISPs. This way you won't need to add the routes on Firebox-BO20, but the solution below is mandatory for both approaches.For the Internet connectivity of the Firebox-BO20 when the tunnel is connected things are a bit more complicated, as the Firebox uses its external IP when sending its packets through the tunnel. If you have a matching rule with logging on, like a HTTPS proxy, you'll see this from the logs, e.g.:
This has a route
0.0.0.0/0on the Firebox-BO20, but no route on Firebox-HQ tunnelbvpn20.You need to edit the BOVPN Virtual Interface BovpnVif.BO20 and add a route to the external IP of Firebox-BO20. If the IP was static, that would have been a single
203.0.113.33/32.In this case where the external interface of Firebox-BO20 is on DHCP you'd need a route that covers all the possible IPs it could get, the whole DHCP pool e.g.
203.0.113.0/24. Of course this means that Firebox-HQ will use this route for the other addresses on that range, too. That may cause problem on some use cases – if it does, you need to get a static IP.By default, Firebox adds dynamic NATs for private networks
192.168.0.0/16,172.16.0.0/12and10.0.0.0/8. As the external IP203.0.113.33is not within these networks, you need to add (Network > NAT...) Dynamic NAT from BovpnVif.BO20 to Any-External. Luckily this can be done using the existing built-in alias for the BOVPN Virtual Interface.