Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 5575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

eoIP Sophos XG alternative

Carlos Cesario

Hi Folks, 

Currently we have some customers that need extend the HeadOffice LAN network to Banch Office over internet, and currently they use Mikrotik with EOIP protocol.

Is there any wayt to do it with XG ?

 

Eg.

 

HO LAN 192.168.0.0/24    ---- Sophos XG  ------- Internet   -------- Sophos XG ------ BO LAN 192.168.0.0/24

 

Regards,

Carlos



This thread was automatically locked due to age.
Parents
  • 0

    Sophos could actually build this with RED Site to Site or IPsec.

    https://community.sophos.com/kb/en-us/125101

    It is like a Cable between both appliances. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  thank you by your reply.

    When you say "RED", is it the Hardware or Software (embedded into XG appliances), or both? 

     

    Regards,

    Carlos

  • 0 in reply to Carlos Cesario

    Hi Carlos, 

     

    Sophos Remote Ethernet Device (RED) is a small network appliance, designed to be as simple to deploy as possible. Its main purpose is to provide a secure tunnel from its deployment location to a Sophos XG Firewall.

    There is no user interface on the RED appliance. It is designed to be fully configured and managed from a Sophos Firewall. RED devices can be shipped to a remote site, connected to any DHCP connection to the internet, and be fully configured by a remote administrator with no prior knowledge of the site, and no need to walk local personnel through technical setup steps. 

     

    From Sophos Guide: https://community.sophos.com/kb/en-us/126454

     

    Best, 

     

    BadRobot

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Hi  

    Yes I know abouot RED device. When I aked abou software I meant about RED Interface in sophos XG. Because My customers already has XG devices and not RED devices.

    Did you understood!?

     

    This config

     

    Cheers,

    Carlos

  • +1 in reply to Carlos Cesario

    Actually XG is capable of doing the same mechanism like RED.

    You will simply follow my KBA and one XG acts as Server and one as a RED "Client".

    Basically that only matters in Case of multiple WAN Connections. 

    But most likely the tunnel will be up and you will have a "direct" connection between both XGs.

    So you have to setup everything like a direct connection - Routing, Firewalling etc. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  

    Yes, about RED Server and Client using XG, I have tested it with success!

    My doubt is this scenario

     

    HO LAN 192.168.0.0/24    ---- Sophos XG  RED Server  ------- Internet   -------- Sophos XG RED Client ------ BO LAN 192.168.0.0/24

     

    I need usage the same LAN segment in HO and BO, and I don' t have ideia about do it.

     

    Regards,

    Carlos

  • 0 in reply to Carlos Cesario

    That is more complicated.

    You need something called 1:1 NAT. 

    It would basically hide everything behind a NAT to the other side. 

    Or you could Bridge both sites together (LAN to RED on both sites). I would not recommend to do it. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Carlos Cesario

    That is more complicated.

    You need something called 1:1 NAT. 

    It would basically hide everything behind a NAT to the other side. 

    Or you could Bridge both sites together (LAN to RED on both sites). I would not recommend to do it. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Hello  

    In this momment, I cannot usage 1:1 NAT.

    I will study the second suggestion Bridge LAN+RED. But why do you dont recommend it?

     

    Best regards

    Carlos

  • 0 in reply to Carlos Cesario

    What do you mean the same as in they both use the same subnet?  

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Yes,

    the HO and BO usage the same LAN subnet.

     

    :)

     

    Carlos

  • 0 in reply to Carlos Cesario

    This could be wrong but could you use a site to site VPN and have each LAN be set for a different VLAN?

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Lets wrap up:

    NAT would basically hide the network from the Firewall Perspective. 

    So Basically you will have another Network on each site.

    For Example:

    XG1 192.168.0.0/24

    XG2 192.168.0.0/24

     

    You will create a 1:1 NAT with different Networks.

    XG1 will stay to have 192.168.0.0/24 and sees the Network of XG2 as 192.168.1.0/24

    XG2 will stay to have 192.168.0.0/24 and sees the Network of XG1 as 192.168.2.0/24

     

    The 1:1 NAT will translate each request correctly. 

    Client1 behind XG1 with 192.168.0.10 will try to access Client2 behind XG2 with 192.168.0.20. 

    Client1 will have to ask for 192.168.2.20.

    XG2 will translate those packets back to 192.168.0.20 on XG2 site.

     

     

     

    The other approach will be: 

    Bridge Networks together. 

    But you cannot actually have the same network addresses, you have to decide, who is going to preserve the NAT, XG1 or XG2 or a Server. 

    If the Tunnel fails, the other site will fail without DHCP.

    All Broadcast Traffic will be forwarded to the other Site (using the Internet connection): Most likely will flood your WAN connection - You have to deal with it on the XG Firewall Site. 

     

    Basically you will throw a long ethernet cable and build a Layer 2 bridge between both sites. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  

    Thank you by your response.

    Yes, NAT 1:1 would work very goood, I have environments running with this. But in this case, I need replace Mikrotik devices in HO and BO, and currently they are connected by EOIP protocol by Mikrotik.

    The current environment has devices connected using this scenario, and need keep this config.

     

    Using your suggestion Im testing RED + LAN Bridge - https://community.sophos.com/kb/en-us/122783 - and in y first tests it is working as expected. It exists one problem that I need investigate, the ping to devices behind XG has 2 ms and ping to direct XG device has 20 ms. 

    I'll try investigate the reason of this.

     

    Thank you by your suggestions 

     

    Cheers

    Carlos

Cookie Information Banner