Ecessa PowerLink SD-WAN and Firebox Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to set up Ecessa PowerLink with the WatchGuard Firebox. PowerLink provides automatic failover between WAN connections, including ISP links, with load balancing and traffic shaping.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard FireboxV with Fireware v12.1
  • Ecessa PowerLink PL150 v10.6.9

Topology

This integration demonstrates how to set up an Ecessa device with two WAN interfaces to handle multi-WAN failover for a FireboxV configured in Drop-In mode. If Ecessa is routing for a Firebox that requires inbound connections, the Firebox must be configured in drop-in mode so that the Ecessa device handles NAT. The first WAN link is configured with a static IP address and the other WAN link with DHCP. We also configured an inbound SSH connection to a Linux device we could use to test the integration.

Ecessa with WatchGuard FireboxV topology

Configure Ecessa

To configure Ecessa:

  1. Log in to the Ecessa web UI.
    The default URL is https://192.168.50.1. The default user name is root and the default password is PWRLNK.
  2. From the Basic Setup section, select WAN.
  1. Click Add New WAN.
    The Base WAN Settings appear.

Screen shot of Ecessa static WAN setup

  1. From the WAN Type drop-down list, select Static.
  2. From the Ethernet Port drop-down list, select the physical port.
  3. In the WAN Alias field, type the interface alias.
  4. In the WAN Address Settings section, type the WAN IP/Mask in slash notation and the Gateway IP.
  5. Adjust the Test Points and Link Settings and WAN Advance Settings according to your network.
  6. Select the Save Changes check box.
  7. To apply the saved settings, click Activate.
  8. From the Basic Setup section, select WAN.
  9. Select Add New WAN.

Screen shot of Ecessa add WAN DHCP

  1. From the WAN Type drop-down list, select DHCP.
  2. From the Ethernet Port drop-down list, select the physical port.
  3. In the WAN Alias text box, type the interface alias.
  4. Adjust the Test Points and Link Settings and WAN Advance Settings according to your network.
  5. Select the Save Changes check box.
  6. To apply the saved settings, click Activate.
  7. Select Basic Setup > LAN.
  8. To add a row, click Add a new LAN.
  1. In the LAN Alias text box, type the interface alias.
  2. In the LAN IP Address field, type the address in slash notation.
  3. From the Ethernet Port drop-down list, select the physical port.
  4. Select the Save Changes check box and click Activate.
  5. From the left side panel, select Routing/NAT > Port Forwarding.
    The Port forwarding Configuration page appears.
  6. Select the Add Forwarding Entry to add a new row.

Screen shot of the Ecessa Port Forwarding configuration

  1. In the WAN IP/IP Range/Alias, type the inbound connection public IP address.
  2. In the Port Range text box, type the inbound connection port(s).
  3. In the LAN IP/IP Range/Alias text box, type the internal private IP address.
  4. If required, select PTPP, IPSec, or ICMP.
  5. Select the Save Changes check box.
  6. To apply the saved settings, click Activate.

Configure Firebox for Ecessa

In this example, the Firebox is configured in Drop-In mode. Ecessa performs NAT from the public IP address to the private IP range configured on the Firebox. For Drop-In mode, the Firebox uses the same subnet on all interfaces.

To learn more about how to configure your Firebox in Drop-In mode, see Fireware Help.

  1. Log in to Fireware Web UI.
  2. Select Network > Interfaces.
  3. From the Configure Interfaces in drop-down list, select Drop-In Mode.
  4. Click Configure.
    The IP Settings page appears. In Drop-In Mode all active Firebox interfaces are assigned the same IP address.

Screen shot of the WatchGuard firewall drop-in mode IP assignment

  1. Type the IP Address in slash notation and the Gateway IP address.
  2. Select the Drop-In Settings tab.
  3. In the Automatic Host Mapping section, verify the active interfaces are selected.

Screen shot of the WatchGuard firewall Drop-In settings

  1. Click Back.
  2. Verify the entries and click Save.

Screen shot of the WatchGuard firewall interfaces save

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.

Screen shot of the WatchGuard Add Policy button

  1. In the Select a policy type section, from the Packet Filterdrop-down list, select SSH.

Screen shot of the WatchGuard firewall add policy type

  1. Click Add Policy.
    A page appears that shows the new policy properties.
  1. Type an appropriate Name for the policy.
  2. Remove any alias or IP address from the To and From fields of the policy.
  3. In the From field, select Add.
  4. For the Member type use the Alias drop-down list, and select Any-External.

Screen shot of WatchGuard firewall policy alias add

  1. Click OK.
  2. In the To field, select Add.
  3. From the Member type drop-down list, select Host IPv4 and type the internal private IP address.

Screen shot of the WatchGaurd firewall policy member type IP

  1. Click OK.
  2. Verify the policy and click Save.

Screen shot of full WatchGaurd policy

Test the Integration

You might need to flush the ARP cache or reboot some routers before you test this integration.

From a Windows computer that is external to the Ecessa device:

  1. Open the Windows command prompt.
  2. Type this command: telnet <public IPaddress> 22
  3. An SSH response shows the connection on port 22.