4

My client is the tenant who will be sharing Internet from the other tenant. The other tenant has a WatchGuard in place. I am not familiar with WatchGuard or their interface. The IT guy I am working with is struggling with the setup so I am trying to gather information to assist him.

Our Internet has 5 public IPs and we want my client to have one of them. So I need an IP passed through the WatchGuard to my routers WAN port. I believe the WatchGuard is an XTM 5 series...I don't have access to the interface or it physically.

Can anybody give some details of what we should be looking for in the interface to accomplish this?

  • 1
    What type of internet circuit is this? If it's a cable modem, you can likely put a switch between the modem and the Watchguard. Then that client can continue using their Watchguard as is, and you can connect another router to that switch and assign it one of the other public IPs for your client. – EEAA Jan 13 '13 at 20:51
  • 1
    Right. And @EEAA's suggested setup would also keep Company 1's internal network isolated from Company 2. – Michael Hampton Jan 13 '13 at 20:53
  • I did think about that but will go to that as a last resort. If the WatchGuard will support what we want I don't want to introduce a another point of failure. – Andy Boutte Jan 13 '13 at 21:07

2 Answers2

1

If it's a cable modem, the easiest thing is going to be to skip the Watchguard and plug your client's cable into the back of the modem. Turn off any 'features' on the modem like packet inspection or firewalls as they just make things break.

If you can't do that, look for Proxy ARP, IP Forwarding, and Bridging features on the Watchguard (not sure if they're exposed, but the underlying linux can handle it).

Bill McGonigle
  • 647
  • 5
  • 8
0

We have a XTM21 where I work. The Watchguard boxes are appliances (Linux boxes) that provide a firewall, QoS, and all that. Ours works pretty well, the UI is a little sluggish, but it does the job well enough.

For your setup you're going to have to setup 2 networks. One with the first tenants, and the 2nd with your customers. You can read more about the products here:

The ISP is going to be giving you a block of IP addresses. For example, the ISP might give you 50.122.20.48/28 as your IP block. This allots you 16 IPs. One for the network (.48) one for the default route (most likely .49) and broadcast IP address for the network (.63) and actual IPs to use (.50 through .62) for actual devices.

Use this CIDR calculator to determine the network topology:

                                   CIDR calcuator

So out of the back of the ISPs modem you've probably got 3-4 ethernet ports. Plug 2 wires into the back of that and those 2 wires go into ports on the Watchguard box. Then you'll need to configure each of those ports for a specific IP from the ISP. They should be perhaps 50.122.20.50 and 50.122.20.51.

Using 2 additional ethernet ports on the Watchguard box setup 2 separate class C networks say 192.168.0.0/24 and 192.168.1.0/24. One for the first tenant and the other for your customer.

You'll need to make sure that the 2 networks have firewall rules disallowing each others subnets from being routable to each other as well.

Comment if you need more info, this should get you started.

slm
  • 7,355
  • 16
  • 54
  • 72
  • Thanks for the info slm. That confirms that this is all possible with the WatchGuard but to help out the other IT guy I am going to needs more specifics. By chance have you seen a WatchGuard document that shows this setup? – Andy Boutte Jan 13 '13 at 22:38
  • No there is no documentation that I've ever seen that walks you through specifics of how to setup a network topology such as the one you and I have highlighted. I've only seen docs. that discuss the various features of the XTM & how to use them. Also where I work they opted to pay a specialist to do this, which in hindsight was a waste IMO. It will take time to figure out how to set up the XTM but the docs for the features are pretty good and it isn't over the top complicated. Just my $0.02. – slm Jan 14 '13 at 00:10