Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN setup not working no ping to local LAN port 2

Ray Smith

I have been working on setting up a SSL VPN.  The goal is to have an iPad remote access to connect as if it was on the ip range 10.0.3.1/25 which is port #2 LAN on the XG230 sophos.

I have followed https://community.sophos.com/kb/en-us/122769 but although it connects, it connects as 10.81.234.6 (in the Remote SSL VPN Range) not as a 10.0.3.x. even with

firewall is set for MASQ. I am obviously missing something any one with a suggestion?

the goal is to have the iPad connect only to the port #2 LAN segment.  I do not want it to connect to the Port #1 LAN at all, nor should any on the port #1 see it.

every device on the Port #2 LAN is fixed IP with the Sophos ip as the gateway.

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    This is not possible AFAIK, simply because the SSL Vpn server creates a virtual NIC called tun0-00 which has an ip address to it which the VPN clients uses as their default gateway. If you were to use a subnet that belongs to Port#2 of your LAN segment as the lease address range on your SSL VPN server, you will effectively have two interface that has the same broadcast domain and along with that, you will have a route to the same subnet with multiple exit interface and only one will get put on the routing table leaving the other interface useless.

    One way you can get around this which is not advisable is to maybe set the SSL VPN lease range to a smaller subnet like a /28 or /29 (ie. 10.0.3.128/28) so that it doesn't conflict with your LAN routing. With this setup, you should ensure that you will never use an address on the 10.0.3.128/28 subnet on your Port#2 Lan subnet. (I haven't tested this scenario so not 100% if it is going to work)

  • 0 in reply to Jevin Lizardo

    Ok it is not that I wanted to have an exact IP address on the LAN side.  I just wanted to have the device "see" the other devices on the LAN via VPN.

    What was not available was a "reflexive" rule in the firewall instructions.  the KB implied that only one rule needs to exist.  it could have been a simple radio button in software but no, it had to be a full on self made rule. 

    I had assumed that the KB was giving us a workable solution, not a crippled one.

Reply
  • 0 in reply to Jevin Lizardo

    Ok it is not that I wanted to have an exact IP address on the LAN side.  I just wanted to have the device "see" the other devices on the LAN via VPN.

    What was not available was a "reflexive" rule in the firewall instructions.  the KB implied that only one rule needs to exist.  it could have been a simple radio button in software but no, it had to be a full on self made rule. 

    I had assumed that the KB was giving us a workable solution, not a crippled one.

Children
No Data