We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Set Up a Default Route Through a Site-to-Site VPN Tunnel

  • Last updated on

In this example scenario, a Barracuda NextGen Firewall F-Series in the internal LAN requires an Internet connection. A second Barracuda NextGen Firewall F-Series (the external system) has direct Internet access and is therefore used to tunnel the Internet traffic to the internal system.

In this article:

Step 1. Configure a Site-to-Site VPN Tunnel

Make sure that you have correctly configured the site-to-site VPN tunnel between both firewalls. For more information, see How to Create a TINA VPN Tunnel between F-Series Firewalls.

Step 2. Configure the Internal Barracuda NextGen Firewall F-Series

To configure the Barracuda NextGen Firewall F-Series in the internal LAN:

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  2. Click Lock.
  3. Open the TINA tunnel and configure 0.0.0.0/0 as the Remote Network.
    defroutvpnint.png
  4. Create a dummy default route to prevent packets from being dropped in the forwarding firewall.
    howtocreadefroutvpndummy.png

  5. Click Send Changes and Activate.

Step 3. Configure the External Barracuda NextGen Firewall F-Series

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  2. Click Lock.
  3. Open the TINA tunnel and add 0.0.0.0/0 (the default route) in the Local Networks table.
    howtocredefroutext.png
  4. Click Send Changes and Activate.

Step 4. Configure Access Rules for the Tunnel

Remember to also create access rules on both firewalls for the tunnel traffic. For more information, see How to Create Access Rules for Site-to-Site VPN Access.

If Dynamic SNAT is used in the access rules for the internal unit, the dummy route is used instead of the VPN tunnel. Therefore, make sure that the rules have No SNAT configured for Internet traffic traversing the VPN tunnel.

Troubleshooting

If you have issues with the default route for the site-to-site VPN tunnel, try the following solutions:

  • No traffic passes through the default route – Verify whether the VPN connection itself works by setting up clients on both ends of the tunnel. Note that locally transmitted ICMP pings are not redirected through the tunnel. The client on the external system can also be an external web server.
  • ICMP traffic passes through the VPN tunnel in one direction but the reply does not – Use  Dynamic SNAT on the external Barracuda NextGen Firewall F-Series.
  • There is no connection to the Internet – Make sure that a valid default route also appears in the regular network configuration of the external Barracuda NextGen Firewall F-Series and that this default route points to a working Internet gateway.
Last updated on