Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 5812 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring XG to route traffic to network via specific gateway

Glenn Shannon

I'm sure it's something I'm missing in the documentation but here is the configuration I have:

192.168.150.0/24 - datacenter network, also where the XG firewall is located

192.168.1.0/24 - office network, no XG firewall here

They are currently joined by an ipsec tunnel not managed by the XG.

The host on the datacenter network who routes the ipsec tunnel is 192.168.150.251

 

I tried adding the unicast route for 192.168.1.0/24 with a gateway of 192.168.150.251 but it doesn't pass traffic. Curiously, from the diagnostic page for the XG I can ping hosts on the 192.168.1.0 network successfully.

I figured firewall must be blocking but honestly for the life of me I can not figure out how to add a firewall rule that passes ALL traffic between 192.168.150.0 and 192.168.1.0. None of the clients behind the XG can get to the office network.

Is there some step I missed, or am I going about this wrong?



This thread was automatically locked due to age.
  • 0

    Update:

    I tried adding a rule at the top that had both the LAN and OFFICE zones in both the source and destination, but the traffic only started passing if I turned on NAT, which doesn't work for my use case.

    Is there a way to get it working without NAT being enabled?

    If I add a static route to clients in the datacenter to point to 192.168.150.251 as the gateway to 192.168.1.0 (bypassing the XG entirely) traffic flows as expected; we're going to be adding some additional branch connections and I don't want to have to run route scripts on the datacenter machines to keep everything in line, I'd prefer to offload that to a central point, hence trying to get the XG to do it.

  • 0 in reply to Glenn Shannon

    Are you talking about Sophos XG Zones or just Zones as a matter of structure? I am also not sure about the exact configuration.

    For example:

    What networks are passed trough the tunnel? 

    What rules are configured on the firewall.

     

    I think either two firewall routes are missing of kind of Lan/AnyInternalNetwork to/from LAN/AnyInternalNetwork. This is different from some other firewalls.

    Or you have an issue with the configuration of your IPSec Tunnel.

    Try to resolve the issues with the firewall logs and traceroute. Do this from both sides (Datacenter/Office).

  • 0 in reply to BeEf

    Sophos XG Zones.

    I tried to eliminate the IPSec tunnel as a source of issue by bypassing the XG and setting a static route on the Datacenter client itself, at which point traffic flowed normally (I was able to ping back and forth and reach internal websites on the other side of the IPSec connection as normal). It's only when traversing the XG that I encounter traffic flow issues, which leads me to believe the XG is the sole issue source and I just have it configured incorrectly.

    Unfortunately the documentation doesn't cover this scenario, and I'm wondering if perhaps it's just not possible to get the XG to behave in this way, even though doing this with a Linux box is trivially easy.

    Here's what I want:


    Currently there is a Debian box right where the XG Firewall is supposed to go, and it is doing NAT to the Internet but regular routing to the Office network. I want the XG to replicate that but add in the firewall to the Internet (leaving the firewall off for local/cross-IPSec traffic).

  • 0 in reply to Glenn Shannon

    I think something in your picture ist wrong/uncomplete.

    Can you add the second IPSec Endpoint with an interface in 192.168.1.0/24 and the missing IP Adresses of the firewall (at least the ones pointing to internal networks). Is there really a connection between the IPSec Endpoint and the firewalll? This would not make sense to me.

    What are the default routes in the office an data center networks?

    AFIK the Sophos XG is using iptables and is linux based so theroretically you should be able to do everything that you can do on a linux host - if it is configurable through the gui.

  • 0 in reply to BeEf

    You're absolutely correct, looking at the image now I left out some important detail.

    Obviously the 2 IPSec endpoints talk to each other via the internet, there is no direct link between them.

    The XG is not connected to the IPSec endpoint a second time, only to the 192.168.150.0 network- my apologies for that errant link.

    Default routes on the datacenter network:
    Default gateway is 192.168.150.150

    Default routes on the office network:
    Default gateway is 192.168.1.1

    I was playing around with this a bit more yesterday, I managed to get the firewall to say it would pass traffic and matched the firewall rule I had set up that should allow any traffic to pass unimpeded. For some reason I still could not access webpages on the office network from the datacenter, and users on the office network could not access web pages in the datacenter network. Ping worked, though. So that's a definite improvement.

    Here's the rule I have that matches traffic between the datacenter and office networks:

    In the diagnostics on the firewall, I can check for source/destination being able to access webpages both ways and according to the diagnostic it should pass and be allowed. It's really confusing why this isn't working.

  • +1 in reply to Glenn Shannon

    Did you perform this task?

    https://community.sophos.com/kb/en-us/130517

    You have an asymmetric routing issue.

    Use the command: set advanced-firewall bypass-stateful-firewall-config add source_network

    Regards

  • 0 in reply to lferrara

    You nailed it. Traffic is passing correctly! Thanks for replying.

  • 0 in reply to Glenn Shannon

    Did you set a route on the firewall that sends the traffic to 192.168.1.0/24 through the gateway 192.168.150.251? There is still an asymetric routing but I think this will work also with the above firewall rule.

    I'd also consider to replace the Datacenter IPSec Entpoint with on port of the firewall and establish the tunnel between Firewall Office IPSec endpoint. This would make things more straightforward.


  • 0 in reply to BeEf

    I did set that route up in the XG previously thinking it would get me working, but the fix for asymmetric routing is what was needed to make it all finally work.

     

    I'm working on replacing the datacenter IPsec endpoint with the XG, but I still need it to work as-is so I can phase it in.

Unfiltered HTML