Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 4630 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access internal device from VPN that doesn't have gateway

Panagiotis Vakerlis

Hello everyone,

There are currently 4 XG currently running on a client with Site2Site star topology. Everything is working properly and everyone can access everything between the networks, even from VPN. The question I have is this:

On one on the networks (not the central one) there's a wifi router which acts like a bridge(gets network from sfos to its LAN port NOT WAN, static ip declared) which means it does not route anything. We just use it for the wifi and works like it should. Problem is, it's the only device I cannot access the web interface outside it's internal network. Other sites can't access it, remote vpn neither. If I go on site and connect to the sfos network I can access normally. I assume the reason is on the wifi you can only declare an ip it's going to have and a subnet and not a gateway. Is there a way to do it from sophos?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    what sort of AP is it? If it is not a Sophos AP it should receive a gateway as part of its DHCP request.

    Ian

  • 0 in reply to rfcat_vk

    Actually It's a tp-link router. I've disabled it's dhcp server and connected directly from a lan port to sfos. That means it's not routing anything and not providing dhcp. The problem with these routers is that for its own ip it has to be static(as it has the idea it's the main device providing the network) and doesn't have a gateway as an option, only address and netmask.

    So, configuration from the routers side seems out of the question

    Also, putting it in normal routing mode(meaning it will get an eg. 192.168.50.10 ip from sophos and providing 192.168.5.x to its network) is also out of the question

  • 0 in reply to Panagiotis Vakerlis

    If you have a network as as 192.168.1.0/24 with Sophos at 192.168.1.1 (default gw) . The AP's mgmt IP will should be in the DHCP scope of the LAN. If you can access it from the LAN (which you said you can), then you would also be able to access it from the VPN.  Look under the SSL VPN allowed subnet - is the AP subnet allowed to be accessed from the VPN ?

  • 0 in reply to AB5g

    The router and the sfos are on the same network

    Actually it's not an AP, its a router. Here's what I've done:

    Let's say my internal network is 192.168.11.0

    The Tp-Link is a router with no configuration as an AP or anything. It has 1 wan port(which gets network from the modem) and 4 lan ports, plus wifi. As I didn't want to use a different network than Sophos, I connected a cable from the Sfos lan to the Tp-Link lan, NOT WAN. If I was to connect the cable to the Wan port, then the Tp-Link would get an ip from sophos eg. 192.168.11.5 BUT the lan ports of the Tp-Link had to be different, eg 192.168.2.0. So it's a no-no. Also, I want sfos to have the full DHCP management, so no dhcp relay either.

    All good so far.

    Next step is to declare a static ip to the TP-Link(it needs a static, cannot get from dhcp since it thinks it's a router). Assume I set an IP 192.168.11.254. All good here also. Wifi works correctly, all ips are sent from sfos, everything working normally. I can also access the tp-link on the address 192.168.11.254 when I'm on the 192.168.11.0 network.

    If I go to another Site (which has Site2Site with the 192.168.11.0, let's say it has network 192.168.12.0), I can access all of the network both ways, apart from this bloody router. I assume that, since this piece of engineering thinks it's the primary controller of the network, doesn't want anything coming from other networks.

    Actually there are 2 devices on 2 Sites, one is this Tp-Link and the other is a Cisco modem-router with same config. Both unable to reach outside their networks. It isn't much of a problem, but I'd rather configure it remotely when bad things happen than going to the site, or trying to reach people to Anydesk them so I can access the router(which to me sounds lame).

Reply
  • 0 in reply to AB5g

    The router and the sfos are on the same network

    Actually it's not an AP, its a router. Here's what I've done:

    Let's say my internal network is 192.168.11.0

    The Tp-Link is a router with no configuration as an AP or anything. It has 1 wan port(which gets network from the modem) and 4 lan ports, plus wifi. As I didn't want to use a different network than Sophos, I connected a cable from the Sfos lan to the Tp-Link lan, NOT WAN. If I was to connect the cable to the Wan port, then the Tp-Link would get an ip from sophos eg. 192.168.11.5 BUT the lan ports of the Tp-Link had to be different, eg 192.168.2.0. So it's a no-no. Also, I want sfos to have the full DHCP management, so no dhcp relay either.

    All good so far.

    Next step is to declare a static ip to the TP-Link(it needs a static, cannot get from dhcp since it thinks it's a router). Assume I set an IP 192.168.11.254. All good here also. Wifi works correctly, all ips are sent from sfos, everything working normally. I can also access the tp-link on the address 192.168.11.254 when I'm on the 192.168.11.0 network.

    If I go to another Site (which has Site2Site with the 192.168.11.0, let's say it has network 192.168.12.0), I can access all of the network both ways, apart from this bloody router. I assume that, since this piece of engineering thinks it's the primary controller of the network, doesn't want anything coming from other networks.

    Actually there are 2 devices on 2 Sites, one is this Tp-Link and the other is a Cisco modem-router with same config. Both unable to reach outside their networks. It isn't much of a problem, but I'd rather configure it remotely when bad things happen than going to the site, or trying to reach people to Anydesk them so I can access the router(which to me sounds lame).

Children
  • 0 in reply to Panagiotis Vakerlis

    Do you have an AP mode on the TPLINK router ? Most of the Wireless routers have this mode. In this mode, you could connect the WAN link to Sophos and it would automatically get an IP from the 192.168.11.0 range for you to manage it. The LAN ports would be automatically put in bridge mode and would hit the Sophos and get an IP in the 192.168.11.0 range. 

    The mode you just described above is a routed mode, where the TP link WAN port and the LAN would be different subnets.

    What you are doing is a workaround to get the same outcome as a bridge mode. I unfortunately, do not know how exactly will a TPLINK behave in this mode. I would recommend that you put the router in AP mode and give it a shot. This will ensure we have one less thing to worry about.

     

    Now for some reason, if you cannot put your Router in AP mode or even after AP mode you are facing issues , then

    1. Where is the trace dropping ?
    2. Logically, if Sophos is able to assign a DHCP IP to a device connected to the LAN port 2 of the TPLINK, that means Layer2 and L3 communications have been established. 
    3. If the device gets a DHCP IP and Gateway , then it should be able to communicate with your other segments too. Because the TP link is in bridge mode (the IP comes from Sophos), it will not participate in routing.So the device connected to TPLINK will always send packets destined for other subnets to its default GW which is Sophos. Which means the issue is your config on Sophos.
      1. Check if pings are allowed from SSL VPN subnet
      2. Check if SSL VPN allows access to the LAN subnets.

    To troubleshoot, try setting up a client to site SSL VPN, add the accessible subnets and see if that works.