Client with BGW320-500 and third-party router/firewall can't VPN in or out of local network

VPN
1

Have a client with ATT 1g/1g fiber, block of 5 static IPs, and a BGW320-500, connected to a Watchguard appliance we provided and manage. The WAN interface of the Watchguard is configured with that static IP info from ATT, and plugged in to LAN1 of the BGW320-500. Nothing in the BGW320-500 has been changed, internet works fine.

The problem is that I cannot VPN in to the Watchguard appliance from outside, and VPN clients on computers on the local network behind the WG won’t connect to outside sources. My VPN attempts from outside in to the WG do not show up in the WG traffic monitor at all, indicating that something upstream(BGW320-500) is blocking that traffic from getting in. The WG traffic monitor is showing the VPN client connection attempts from inside the network, and it is not blocking them, indicating something upstream(BGW320-500) is blocking them from getting out.

Obviously it’s the BGW320-500, but I’m not sure how to fix this. I’m getting mixed results from all my searches. Some folks say use the cascading router feature, which requires the WG WAN to be DHCP. Others say to configure IP passthrough. How do we make this so the Watchguard has and manages the static IPs, and the BGW320-500 is not doing any sort of firewalling so VPNs in and out work?

Edit: Problem solved. The local network configured in the BGW320-500 was 192.168.1.x, which was also the local network behind the Watchguard router. Apparently this caused enough of a routing problem in one of the devices that VPNs in or out wouldn’t work, but internet connectivity for users behind the WG was fine. Changed the subnet in the BGW320-500 to 192.168.0.x and that fixed the issue. I then configured IP Passthrough, turned it on and set the mode to Manual, since the static IP info from AT&T is configured on the WAN interface of the downstream LAN device(Watchguard) which is what IP Passthrough - Manual is designed for according to its description. Everything seems to be working fine now, and users on the local network behind the WG are pulling the correct public IP.

2

There are firewall settings that should all be disabled, see if that resolves it.

3

Issue resolved, see edit in the OP for the solution.

4

would be good how it was resolved I just switched to att and have the same gateway and my openvpn is not longer working… Ir active but the tunx interface does not come up.

5

Bypass the BGW and do your own 802.1X authentication!

6

Bottom of my post explains the solution. It was because the ‘stub’ or ‘transit’ network between the ATT router and my router, was the same subnet behind my router, a networking no-no that caused routing issues. Changing the subnet on the ATT router to anything else solved the issue.

7

ok, thank you, my case I have no other router, I do not have passthorugh enabled so just using the ATT Gateway, ActiveAmor is not active, nor I will activate it. lol

will have to keep looking … And cannot find anything on the openvpn site,

8

IP passthrough/bridge mode is only when you want to bypass the routing functionality of a modem/router combo device from your ISP, and let your own downstream router handle that functionality. If you’re just running the ATT equipment and can’t VPN in or out of your network, then it’s a firewall/NAT/security setting in the ATT device that’s probably blocking it.

9

ok thanks let me poke around and disable if I see anything.

10

see here is what I get : service is started but my tnux device is not up… So I’m authenticating to openvpn server if not the service would fail to start.

$ systemctl status openvpn.service

● openvpn.service - OpenVPN service

Loaded: loaded (/usr/lib/systemd/system/openvpn.service; enabled; preset: enabled)

Active: active (exited) since Fri 2024-07-26 22:20:25 UTC; 1min 36s ago

Docs: man:openvpn(8)

Process: 802 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

Main PID: 802 (code=exited, status=0/SUCCESS)

CPU: 5ms

Jul 26 22:20:25 qbittorrent systemd[1]: Starting openvpn.service - OpenVPN service…

Jul 26 22:20:25 qbittorrent systemd[1]: Finished openvpn.service - OpenVPN service.

BUt I see no tunx device…

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet xx.xx.xx.xx netmask 255.255.255.0 broadcast 192.168.1.255

inet6 2600:1700:234f:d200::3f prefixlen 128 scopeid 0x0

inet6 fe80::be24:11ff:feff:1efb prefixlen 64 scopeid 0x20

inet6 2600:1700:234f:d200:be24:11ff:feff:1efb prefixlen 64 scopeid 0x0

ether bc:24:11:ff:1e:fb txqueuelen 1000 (Ethernet)

RX packets 3378 bytes 512255 (512.2 KB)

RX errors 0 dropped 115 overruns 0 frame 0

TX packets 637 bytes 121527 (121.5 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10

loop txqueuelen 1000 (Local Loopback)

RX packets 253 bytes 21941 (21.9 KB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 253 bytes 21941 (21.9 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Maybe this will clarify a bit more… lol

11

That’s all above my head, unfortunately.

12

lol… ok cool… thanks bud…