Sophos Firewall

Discussions How to Build VPN without WAN Port

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 1 reply
Subscribers 27 subscribers
Views 4861 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Build VPN without WAN Port

Christian Kolbe over 7 years ago

Hello,

i have an XG310 System with BGP Connection to the Internet.

Interface X11 and X12 are the two BGP Ports with the Public IP´s from the Transfer Network.

In this Scenario you must set them to LAN because they have no Gateway .

My (working/real) WAN Adresses are 2 Class C Networks with Public IP Addresses.

I use them only with NAT and DNAT Rules because all traffice flow over the BGP Ports to the Firewall.

These IP addreses are only registered via the BGP Konfiguration (virtual) and not Bound to an interface.

That´s why i have no WAN Port in this use case .

Now my Problem .. :-)

How can i create a VPN Connection because the GUI everytime demands a WAN Port for a Setup.

In my Situation the Wan Port ist only one of my 512 Public IP's that i want to use for it, but i can not set a VPN Connection with this.

is anybody here who has experience with using a XG into a BGP Scenario ?

PS : everything else .. Internet .. Nat Rules.. Public Server works perfect

This thread was automatically locked due to age.

Parents

0 lna over 7 years ago

Hi Christian,

unfortunately there is an easy Answer: You cannot use a LAN Port for VPN.

Clean Way:

vote this missunderstood Feature Request

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13533078-wan-without-gateway

Dirty Way:

Fake a Gateway - worked for me in situations with L2 Connections (Encription over private Campus Network) or MPLS links without Internet Brakeout.

change the Type / Zone of your Class C Distributed Public Network to "WAN"

Configure one IP as Gateway (must be in same Class C Network e.g. alias IP owned by XG) - should work even if this IP is Down, but Down is ugly in monitoring ;)

Make sure the gateway is never ever used for WAN Loadbalancing

now you have a WAN Port wich you could use to terminate IPsec

yours Lukas
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lna over 7 years ago

Hi Christian,

unfortunately there is an easy Answer: You cannot use a LAN Port for VPN.

Clean Way:

vote this missunderstood Feature Request

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/13533078-wan-without-gateway

Dirty Way:

Fake a Gateway - worked for me in situations with L2 Connections (Encription over private Campus Network) or MPLS links without Internet Brakeout.

change the Type / Zone of your Class C Distributed Public Network to "WAN"

Configure one IP as Gateway (must be in same Class C Network e.g. alias IP owned by XG) - should work even if this IP is Down, but Down is ugly in monitoring ;)

Make sure the gateway is never ever used for WAN Loadbalancing

now you have a WAN Port wich you could use to terminate IPsec

yours Lukas
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data