eoIP Sophos XG alternative

Sophos could actually build this with RED Site to Site or IPsec.

https://community.sophos.com/kb/en-us/125101

It is like a Cable between both appliances. 

Hi LuCar Toni thank you by your reply.

When you say "RED", is it the Hardware or Software (embedded into XG appliances), or both? 

Regards,

Carlos

Hi Carlos, 

Sophos Remote Ethernet Device (RED) is a small network appliance, designed to be as simple to deploy as possible. Its main purpose is to provide a secure tunnel from its deployment location to a Sophos XG Firewall.

There is no user interface on the RED appliance. It is designed to be fully configured and managed from a Sophos Firewall. RED devices can be shipped to a remote site, connected to any DHCP connection to the internet, and be fully configured by a remote administrator with no prior knowledge of the site, and no need to walk local personnel through technical setup steps. 

From Sophos Guide: https://community.sophos.com/kb/en-us/126454

Best, 

BadRobot

Hi Badrobot 

Yes I know abouot RED device. When I aked abou software I meant about RED Interface in sophos XG. Because My customers already has XG devices and not RED devices.

Did you understood!?

This config

Cheers,

Carlos

Actually XG is capable of doing the same mechanism like RED.

You will simply follow my KBA and one XG acts as Server and one as a RED "Client".

Basically that only matters in Case of multiple WAN Connections. 

But most likely the tunnel will be up and you will have a "direct" connection between both XGs.

So you have to setup everything like a direct connection - Routing, Firewalling etc. 

Hi LuCar Toni 

Yes, about RED Server and Client using XG, I have tested it with success!

My doubt is this scenario

HO LAN 192.168.0.0/24    ---- Sophos XG  RED Server  ------- Internet   -------- Sophos XG RED Client ------ BO LAN 192.168.0.0/24

I need usage the same LAN segment in HO and BO, and I don' t have ideia about do it.

Regards,

Carlos

That is more complicated.

You need something called 1:1 NAT. 

It would basically hide everything behind a NAT to the other side. 

Or you could Bridge both sites together (LAN to RED on both sites). I would not recommend to do it. 

Couldn't you also do a site to site VPN in this case between 2 XG Firewalls, https://community.sophos.com/kb/en-us/123140

Hi Badrobot 

I already usage IPSEC VPN, but in this case, I can´t usage due the both network segments need to be the same, and I can´t usage NAT Translator :(

regards,

Carlos

What do you mean with needs to be the same and cannot use NAT? 

Hello LuCar Toni 

In this momment, I cannot usage 1:1 NAT.

I will study the second suggestion Bridge LAN+RED. But why do you dont recommend it?

Best regards

Carlos

Hello LuCar Toni 

In this momment, I cannot usage 1:1 NAT.

I will study the second suggestion Bridge LAN+RED. But why do you dont recommend it?

Best regards

Carlos

What do you mean the same as in they both use the same subnet?  

Yes,

the HO and BO usage the same LAN subnet.

:)

Carlos

This could be wrong but could you use a site to site VPN and have each LAN be set for a different VLAN?

Lets wrap up:

NAT would basically hide the network from the Firewall Perspective. 

So Basically you will have another Network on each site.

For Example:

XG1 192.168.0.0/24

XG2 192.168.0.0/24

You will create a 1:1 NAT with different Networks.

XG1 will stay to have 192.168.0.0/24 and sees the Network of XG2 as 192.168.1.0/24

XG2 will stay to have 192.168.0.0/24 and sees the Network of XG1 as 192.168.2.0/24

The 1:1 NAT will translate each request correctly. 

Client1 behind XG1 with 192.168.0.10 will try to access Client2 behind XG2 with 192.168.0.20. 

Client1 will have to ask for 192.168.2.20.

XG2 will translate those packets back to 192.168.0.20 on XG2 site.

The other approach will be: 

Bridge Networks together. 

But you cannot actually have the same network addresses, you have to decide, who is going to preserve the NAT, XG1 or XG2 or a Server. 

If the Tunnel fails, the other site will fail without DHCP.

All Broadcast Traffic will be forwarded to the other Site (using the Internet connection): Most likely will flood your WAN connection - You have to deal with it on the XG Firewall Site. 

Basically you will throw a long ethernet cable and build a Layer 2 bridge between both sites. 

Hi LuCar Toni 

Thank you by your response.

Yes, NAT 1:1 would work very goood, I have environments running with this. But in this case, I need replace Mikrotik devices in HO and BO, and currently they are connected by EOIP protocol by Mikrotik.

The current environment has devices connected using this scenario, and need keep this config.

Using your suggestion Im testing RED + LAN Bridge - https://community.sophos.com/kb/en-us/122783 - and in y first tests it is working as expected. It exists one problem that I need investigate, the ping to devices behind XG has 2 ms and ping to direct XG device has 20 ms. 

I'll try investigate the reason of this.

Thank you by your suggestions 

Cheers

Carlos