Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 26817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP Basic Routing Question

Christian Kolbe

Hello,

 

try to build up my first solution with BGP and a I´m bit sad … some Things dont work.

 

Situation:

Sophos XG as Gateway Firewall.

2 BGP Partner .. 2 Public Networks to announce. an 20 VLAN with private Networks behind the XG.

 

What ist working …

I got the BGP Working, i createt some dnat rules to bring the traffic from the local Network into the Internet.

 

What don´t work.

I can not Register the Sohos XG .. because it has no WAN Interface. ( ? )

I have build all as LAN Interfaces ..the 2 BGP Interfaces and the "real" Lan Interface.

If i want to Register the Sophos says .. "Register Server is not reachable".

I can also not ping a host into the Internet from Diagnosis of the XG.

From a Client with a privat IP that goes over the DNAT Rule .. everything works fine with Internet an ping.

 

I think the is a Basic "Default Route" missing .. but how can i set a Default route with BGP because i have no WAN Interface and only

virtual 2 Networks with public IP´s .

 

Is is necessary to set one of the physical Interfaces with a IP from the Public Pool ?

My Public Pool ist 195.37.XX.0/23  .. 

My old Cisco Router had on one interface the IP 195.37.XX.1  and our Layer 3 Switch which terminated the VLANS had this IP as the Default route.

Now i want to terminate all VLAN´s on the Sophos XG .. ( it works) but how can i bring the public Network inside,

because we have some devices in our Network that Need a IP from the Public Pool (195.37.XX.0/23)

 

If you understand my litlle confuse Questions .. im very happy for every tip.

 

 

 



This thread was automatically locked due to age.
  • 0

    The Appliance need at least 1 WAN interface as Zone Type WAN.

    As i read in your post, this seems to be the problem.

    Can you link a screenshot of your interface config?

    You should have 1 Interface (VLAN) at least as Type WAN.

     

    Or (to work without a WAN interface) try to use the parent proxy in the routing tab. But would go with a WAN Interface.

    Zone WAN is a preconfigured zone, which points all traffic for the appliance to the Internet.

    Maybe you should get in touch with your partner or the distribution to get a small workshop regarding the zone concept / XG policy handling.

  • 0 in reply to LuCar Toni

    Here are some Screenshots .. perhaps you could advise how to define the wan interface .. 

    So i should define one of my public IP Adresses as a wan interface ?? .. but what is the gateway for that ???

    Screensot with BGP Config and Config Network interfaces 

  • 0 in reply to Christian Kolbe

    So you dont have any WAN interface.

    Would suggest at least one WAN interface.

    The Gateway would be "the next hop" of your BGP route. I *think* you have to predefine this one. Do you know your next hope from XG WAN?

  • 0 in reply to LuCar Toni

    sorry .. i don´t understand you.

    We are using BGP from Internet Provider .. behind the BGP Partnes is ... WWW

     

    Here is my BGP config :

     

    XG-Port 11 is BGP Port 1

     

     
     
    188.1.230.110/255.255.255.252
     
    XG-Port 10 is BGP Port 2 
    188.1.237.246/255.255.255.252
     
    BGP Partner are : 
    188.1.237.45 
    188.1.230.109
     
    My Network for BGP is : 195.37.84.0/23 ( 512 Public IP Addresses :-) ) yes....
     
     
    So i should define a wan interface with ip 195.37.84.1 .. but next Hopp is  188.1.237.109  ???
     
     
  • +1 in reply to Christian Kolbe

    I have tried several way.. 

    i can not define a WAN Interface ..  a wan Interface need a gateway into the same IP Range .. but with BGP you have

    a bgp default route and the Announced networks are working with DNAT Rules .. 

     

    I can do everything with a lan client .. Internet and all the other but the XG itself dont go to registration site ....

  • 0 in reply to Christian Kolbe

    Lets try something else. Please open 2 SSH consoles.

    one with advanced Shell: tailf /log/licensing.log

    One the other please a dump to the licensing server, which the appliance tries to connect.

    tcpdump -ni any host (IP of the server) and port 443

    Please share the output.

  • 0 in reply to LuCar Toni

    Hello,

     

    here are the Screenshots …

    It´s very strange.

    Yesterday i had already contact to a german Sophos Member of Helpdeskt Team … but he could´t help me,

    because he had never installations with bgp ..

    We have an other strange behaviour on the Machine .. from the console and from the gui you can ping Google 8.8.8.8 but no other Public IP ….

    But from a Client behind a DNAT Rule .. everything works fine !!

  • 0 in reply to Christian Kolbe

    Sound like a "routing" issue...

    You see the traffic is going to the correct IP with 188.1.230.110 on Port11.

    So next question: Port11 is your Potential interface to go to the internet?

    But 188.1.230.110 seems to be the Appliance interface address, isnt it?

    In my point of view, the appliance does the correct routing. But the neighbor of Port11 maybe does not NAT the traffic.

    You say, you can ping Google? try ip r g 8.8.8.8 to see, which interface is used. Then do a tcpdump -ni any icmp and ping again.

    Should the Appliance NAT anything? Do you have a Policy which NATs the Traffic?

  • 0 in reply to LuCar Toni

    of Course it´s a Routing issue but it´s only on the XG itself, a Client behind his nat rule works perfect.

     

    it´s BGP …

    Interface Port 11 and Port 10 are the BGP Endpoints  ( Interface to Internet) ,

    IP: 188.1.230.110  an IP 188.1.237.246

    They have Partners, that are the next hops.. in BGP

    IP 188.1.230.109  and 188.1.237.245 

    Technically 188.1.230.110 and 188.1.237.246 are the wan interfaces .. but you can not declare this as a wan interface because it has no Gateway. (that makes BGP)

     

    We use this XG as a replacement of an older CISCO 3748 Border Router, i have checked the configuration of this cisco device .. he had also no Default Gateway !!

    Some Screenschots :

    Default DNAT Rule  ( i use one Address 195.37.84.10 from the public pool for nat) (VLAN1 ) all the other VLAN´s have an own public Address for nat.

    Cisco BGP Config have adapted it to XG .. without any filter rules

     

    it´s a Problem special related to BGP Implementation and Routing but i can not find any Person on Sophos Germany that has the neccessary Knowledge

    about working with BGP and Sophos XG. :-(

     

     

     

     

     

  • +1 in reply to Christian Kolbe

    So - We are talking about traffic, which is leaving the correct interface with the correct ip address.

    Maybe this is a BGP config issue?

    I mean, how can you know, the traffic is not dropped on the next station or the bgp config is not correct? Seems to be correct on XG site. How can you decide, it is a XG issue? The dump seems to be fine according to your information.

     

    So lets check the dump again - We are sending the Sync. But there is no response.

    Try a telnet from a Client behind the DNAT(i am a little bit confused about the DNAT, you mean SNAT isnt it?) and dump it.

    Then try to find the related pattern. Which IP is used from the client and which from the XG itself.

    In your Policy is a "NAT_1.." SNAT Policy. Which IP is it?

     

    Maybe you need a SNAT Rule for the Sys Traffic:

    https://community.sophos.com/kb/en-us/122999