Based on 2023.8
¶ Scenario
- Company, Inc has resources in their datacenter
- Users need to access resources to create value
- Security policy states resources only be accessed through secure tunnels; directly connecting over the internet is prohibited
- IT provides connectivity to users through Company managed networking gear:
- FG1 an FG2000 series for a branch office
- FX1 an FX2000 series for a work-from-home office
- CBR1 a Cloud Based Router in corporate datacenter
- Success is defined when a can access resources: http://10.0.0.19 in this example
¶ Planning
¶ Network
See CPE_Network tab.
EDGE Manager planning worksheet
¶ Firewall
See CPE_Firewall tab.
EDGE Manager planning worksheet
¶ Topology
¶ Laying the foundation
¶ Onboarding Devices into EDGE Manager
See ZTP process
¶ Network Configurations
See Network
¶ Initial Static Routes
Pull up the Networks page of CBR1.
Take note of the WAN Gateway address.
Click on Templates in the Navigation Menu.
Click the blue + (plus) next to Templates.
Provide a Template Name and select Static Route in the Feature Template dropdown.
Click the blue + (plus) next to Static Route.
Provide Destination Network, Netmask, & Gateway (which was gathered above as the WAN Gateway address). Use a reasonable metric like 50 and enable Add route via VTY shell. Click Add.
Click Save then OK.
Click the ⋮ button on the right of the newly created Template then Apply Template.
Click the blue + next to Devices then click Devices in the popdown.
Find the CBR, check it, click Add, then Next.
Select Ethernet WAN for each in Network Name dropdowns.
During an approved maintenance window: Click Apply & finally OK. You may refresh via ⟳ or browse to Device > Templates page to monitor the apply operation. Traffic may disrupt hence the advisement for a window.
¶ BGP ASNs & Static Route Redistribution
Applying the BGP Template is similar to Network and Static Routes Templates.
Provide the local ASN on the Neighbor tab and add Static on the Redistribute tab per the planning sheet above. Click Apply and OK.
Do not worry about adding any Neighbors yet. This is handled automatically in the Tunnel creation process later. Ignore the dummy neighbor with no IP address.
¶ Firewall Configurations
Two changes are required:
- Disable masquerading on data tunnel for FG1 and CBR1.
- Allow datatunnel to reach LAN and WAN for CBR1.
Both changes for CBR1 could be accomplished together in the same apply operation.
Checkmark firewall zone then click ✎ (pencil) to edit.
¶ Wireless
See Wireless.
¶ Deploying Tunnels
¶ CBR1-FG1 Tunnel
Click on Templates in the Navigation Menu.
Click the blue + (plus) next to Templates.
Select CBR1 for Device A.
Select FG1 for Device B.
Select CBR1's WAN IP address (likely NATed to WAN interface) in FG1's Remote Endpoint Details. If the correct WAN interface is not available, provide it manually in the field.
Click Create, OK, & OK.
Operations show BGP and Tunnel operations for the two routers.
Tunnels shows the newly created tunnel.
¶ CBR1-FX1 Tunnel
Note: OpenWRT-based routers such as FG and CBR support dynamic routing via BGP (and OSPF as well). MiFiOS devices such as FX, FW, S, or M do not support dynamic routing hence static routes are needed to and from them.
FX1 is informed about the static routes during the tunnel wizard under Remote Allowed IPs.
¶ Update Static Routes for CBR1-FX1
Take note of the Tunnel IP of CBR1 for the tunnel to FX1. Due to how Wireguard and Linux routing interoperate, CBR1's own IP address is used along with the tunnel interface. This is counter-intuitive to traditional routing.
Provide FX1's LAN, netmask, CBR1's tunnel IP address as Gateway, a metric, & toggle Add route via VTY shell.
Select the tunnel interface and apply.
¶ Verify End-to-End Connectivity
User browses out to Corporate Datacenter resource http://10.0.0.19.
Inspect the routing table of devices via ip route or Dynamic Route Details.
Inspect the data path of routes via traceroute or tracepath.
$ traceroute 10.0.0.19
traceroute to 10.0.0.19 (10.0.0.19), 64 hops max, 52 byte packets
1 fg2000e-3-e614 (10.255.0.1) 7.351 ms 2.437 ms 1.978 ms
2 10.181.202.162 (10.181.202.162) 109.237 ms 124.236 ms 111.832 ms
3 10.0.0.19 (10.0.0.19) 196.919 ms 116.714 ms 108.492 ms