Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating a route between VLANs

David Ashcroft

I'll try to explain my setup first, and then explain what I am trying to achieve.

So I have two VLANs which are:

PC Range (VLAN1): 172.16.0.0/16
Telephone Range (VLAN 122): 172.18.0.0/20

Both ranges can communicate with each other and our core switches are responsible for the routing between the two. Our gateways for each are set on our core switches as follows:

PC Range Gateway: 172.16.172.73
Telephone Range Gateway: 172.18.0.1

So if I connect to a PC on 172.16 and try to ping our telephone server on 172.18 it works and everything is fine.

The above all works without any interaction with our Sophos XG, but now that users are working from home and connecting in over our Sophos VPN client, they need access to telephone resource, and unfortunately, they are unable to see anything on 172.18 telephone since the VPN IPs are assigned on the 172.16 PC range.

Here is my Sophos XG Setup:

Port D1 - Inside Interface - LAN - VLAN 1 - IP set to 172.16.0.200/16 - No Gateway specified.

Whilst onsite, end user devices are sent to this IP address for internet via a proxy PAC file, so the clients gateway addresses are still set to 172.16.172.73, so pinging a Telephone IP on 172.18.0.0 still works since the core switch is doing the routing and the Sophos is not involved at all yet.

I then another VLAN setup on the XG the same physical interface:

Port D1 - Inside Interface - LAN - VLAN 122 - IP set to 172.18.1.13/20 - No gateway specified

So when a user is working from home, they connect in over the Sophos VPN client via an interface on the XG configured as a WAN interface and they receive an IP address on the 172.16 PC range. But if I ping anything on the 172.18 range from the VPN it does not work. At this stage, our core switch is not involved since the client gateway is no longer going to be 172.16.172.73 (core switch gateway address).

So I guess I need to configure a route on the Sophos XG that basically says anything on 172.16.0.0/16 can get to 172.18.0.0/20. Is there a way that I can do this and make it work over the VPN? I have tried, but I must be doing it wrong since I cannot ping anything on 172.18 from the VPN.



This thread was automatically locked due to age.
  • +1

    As the core is the default router for Telephone Network, he send the answer-packet to the directly connected 172.18.0.0/16 Network.
    I would try to use a different VPN-IP Range.

    Sorry ... donty realised the sophos is connected behind the PC-Network. Normally i have a dedicated transfer-network between core and Sophos.
    Yes a route may help.
    Simple create a static route: DES-IP 172.16.0.0/16 GW:172.16.172.73 interface: LAN
    BTW: how does your PC reach the telephony network? Are there routes at the PC's? If not ... do you enabe "proxy-arp" at the core?

  • 0 in reply to dirkkotte

    I'm not sure if this is going to work. Sorry my experience with routing is unfortunately rather limited which doesn't help. 

    Our core switches are Avaya/Extreme and I know we use VRRP. So our PC VLAN VRRP address is set to 172.16.172.73, telephone address VRRP is set to 172.18.0.1. I don't really manage this, but as far as I understand, anything listed in VRRP can communicate with each other. So internally our PC clients have their gateways set to 172.16.172.73 and our phone server has its gateway set to 172.18.0.1.

    We've only recently introduced Sophos XG to our network as our web filter and firewall solution, so we are still moving things over to make everything work.

    To make this function, would I need to have the gateways of my clients and phone server set to the inside interfaces of the Sophos XG? (172.16.0.200 for PC VLAN, 172.18.1.13 for phone VLAN.)

    My understanding at the moment is that this would happen:

    I am on the VPN with a 172.16.0.0/16 address. My try to ping the phone server on 172.18.1.10/20. My ICMP packet would go over the VPN, hit the Sophos XG on its external interface. It would see a packet destined for 172.18 and sent it down its PortD1.122 inside interface. The phone system would receive the packet, but then attempt to send it back to its own gateway which would be 172.16.172.73. the packet would hit the core switch which knows nothing about the send request since it came via the Sophos, and then it would just drop the packet? If the phone system gateway was 172.18.1.13, my thoughts would be that it may work because the phone server would be sending the request back to the Sophos vs the Core switch as its gateway.

    Am I thinking entirely wrong about this, or does that make sense at all?

    Thank you for your help, sorry for seeming quite uneducated on this, I do really appreciate the help.

  • 0 in reply to dirkkotte

    Ignore everything I just said. I think I was thinking into this far too much. It does work. The VPN settings file was set to only tunnel 172.16 traffic. I added 172.18 to it too and it works now. thank you so much for your reply and help thoughj :)