Watchguard x750e configuration help!

[Majestic]

Hi,

So one of my companies recently got a second internet connection (they currently have a slower connection from years). In any case they want a dual wan configuration and already have their slow static ip mapped to some of their printers on a specialized application (ports 9100).

They have a new fast cable connection that has been installed but I have not connected it yet as the whole company needs these printers to run and I Want to make sure that those printers ONLY go through the slow connection whereas any other browsing/internet access is routed through the faster connection. I'm not sure if this is considered "Round-robin" or not. In any case, I'm pretty sure I need a NAT rule and I have not configured this Watchguard before.

IT's a watchguard x750e

Any help would be greatly appreciated.

Majestic

 

[BrentfromZulu]

I'm very confused on why that matters. Personally I would put all traffic on the new faster ISP and use the slower one for failover (I believe most WatchGuards can do failover). To me it seems complicated to use 2 WANs in this environment. Perhaps use the other WAN for Guest Traffic?

Just my personal suggestion, sorry if this is no help at all.

 

[Majestic]

I'm very confused on why that matters. Personally I would put all traffic on the new faster ISP and use the slower one for failover (I believe most WatchGuards can do failover). To me it seems complicated to use 2 WANs in this environment. Perhaps use the other WAN for Guest Traffic?

Just my personal suggestion, sorry if this is no help at all.

It matters for 2 reasons a) they need an internet guarantee b) at the moment I'm waiting on the company that serves the specialized application to add the new/second ip address on the faster connection as an option to route to the printers.

I tried adding the new external ip (static) and I get an error of "The Ip address can not be a broadcast address." I set it to external under device type and put in the gateway.

 

[GCS]

Failover gives them that internet guarantee...
I really don't understand why anyone would want an extra internet connection just for their printers.

Especially as seeing that's just extra cost that a fast internet connection could easily handle.

 

[SouthernTech]

Hey Majestics,

What firmware are you running on it currently? If you're hitting the "Broadcast IP Message" warning, this is due to an incorrect IP you put in. In this case, it was the last IP of the subnet (the broadcaset IP).

Round robin connection would load balance between the 2 external connections. In this case, you would want to make a rule to have all traffic go out the fast interface and then make a rule for the printer traffic to go out the slower one.

By default, your traffic rules for Internet access say "Any-External". This means it will use any interface that has the External alias. You can go into the policy and specify a certain interface. Best bet would be to keep it on failover, so all traffic wants to go out the primary anyways.

Change some of the numbers and let me know what IP address you are trying to put in when you are getting that message, as well as the subnet mask. Ideally, change the first 3 octets.

Let me know what I need to clear up.

 

[Majestic]

Hey Majestics,

What firmware are you running on it currently? If you're hitting the "Broadcast IP Message" warning, this is due to an incorrect IP you put in. In this case, it was the last IP of the subnet (the broadcaset IP).

Round robin connection would load balance between the 2 external connections. In this case, you would want to make a rule to have all traffic go out the fast interface and then make a rule for the printer traffic to go out the slower one.

By default, your traffic rules for Internet access say "Any-External". This means it will use any interface that has the External alias. You can go into the policy and specify a certain interface. Best bet would be to keep it on failover, so all traffic wants to go out the primary anyways.

Change some of the numbers and let me know what IP address you are trying to put in when you are getting that message, as well as the subnet mask. Ideally, change the first 3 octets.

Let me know what I need to clear up.

It's running 10.2.7 firmware (old I know, I will upgrade it just in case)

I had apparently not entered the syntax properly for the broadcast address so you're right about that.

What I've learned about Watchguard is that it automatically picks the faster connection. I've set it up for round-robin and managed to get the second connection to work.

The strangest thing is that now I have it working, or at least the Watchguard firebox system manager traffic monitor shows it's being preferred but the connections seem to be slower (??). I went on a workstation and checked the "whatismyipaddress.com" and it is using the newer cable connection however people are complaining that the connections are slower not faster. Ugh I have no idea what's going on.. I did a speedtest and achieved 30 mbps down and 12 up in one case and on another server (Speakeasy.net/speedtest) I saw 12 down and 10 up.. It's rated at 30/12 btw officially.

And I am keeping the slow connection until I get the 2nd faster connection in basically and that the specialized app company adds the new ip addresses so that the printing is routing properly from them (they need to do it on their end). This company must ALWAYS have an active internet connection...

Majestic

 

[SouthernTech]

Hey Majestics,

I totally blanked and realized you would want to use the Policy Based Routing tag to send out specific interfaces. You can leave the backup one in failover and still send traffic out of it. Otherwise, round robine doesn't check speed and will instead use both interfaces alternatively.

http://www.watchguard.com/help/docs/fireware/10/en-US/index.html

Network Setup With Multiple External Interfaces -> About using multiple external interfaces.

 

[Majestic]

Hey Majestics,

I totally blanked and realized you would want to use the Policy Based Routing tag to send out specific interfaces. You can leave the backup one in failover and still send traffic out of it. Otherwise, round robine doesn't check speed and will instead use both interfaces alternatively.

http://www.watchguard.com/help/docs/fireware/10/en-US/index.html

Network Setup With Multiple External Interfaces -> About using multiple external interfaces.

Southerntech: Do you mean to say that I can use the old interface as a failback (not roundrobin) and it would STILL receive incoming connections when directed at it? As I mentioned earlier the only reason I still have it active is because we have an application that's directed to that static ip (ports 9100, 9102) and are waiting for the company to update the change. If I can put it in a "sleep mode" until it needs to use those printers that'd be the best situation (or if the other connection went down).

Majestic

 

[SouthernTech]

Majestic,

That should be possible. I can't recall any issues in the 10.x series firmware that would stop that. You would just need to enable Policy Based Routing on the policy that is controlling the traffic for the printers.

 

[Majestic]

Majestic,

That should be possible. I can't recall any issues in the 10.x series firmware that would stop that. You would just need to enable Policy Based Routing on the policy that is controlling the traffic for the printers.

Apparently we have the Firebox not the firebox pro. It does not allow us to a) use weights for network priority and b) use policy based routing. I wonder what it'd cost to buy the feature set..

The roundrobin seems to go to one connection, then the other, one then the other with no priority. The failback does seem to work but then the ports did not for the printers so then I had to go back to round robin.

That said, I may be leaning towards replacing the unit and getting a Sonicwall TZ205...

Thanks again for the help Southerntech btw

Majestic

 

[SouthernTech]

Is the device still under support? I still have contacts in Watchguard sales and could see what it could cost.