Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3444 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating a route between VLANs

David Ashcroft

I'll try to explain my setup first, and then explain what I am trying to achieve.

So I have two VLANs which are:

PC Range (VLAN1): 172.16.0.0/16
Telephone Range (VLAN 122): 172.18.0.0/20

Both ranges can communicate with each other and our core switches are responsible for the routing between the two. Our gateways for each are set on our core switches as follows:

PC Range Gateway: 172.16.172.73
Telephone Range Gateway: 172.18.0.1

So if I connect to a PC on 172.16 and try to ping our telephone server on 172.18 it works and everything is fine.

The above all works without any interaction with our Sophos XG, but now that users are working from home and connecting in over our Sophos VPN client, they need access to telephone resource, and unfortunately, they are unable to see anything on 172.18 telephone since the VPN IPs are assigned on the 172.16 PC range.

Here is my Sophos XG Setup:

Port D1 - Inside Interface - LAN - VLAN 1 - IP set to 172.16.0.200/16 - No Gateway specified.

Whilst onsite, end user devices are sent to this IP address for internet via a proxy PAC file, so the clients gateway addresses are still set to 172.16.172.73, so pinging a Telephone IP on 172.18.0.0 still works since the core switch is doing the routing and the Sophos is not involved at all yet.

I then another VLAN setup on the XG the same physical interface:

Port D1 - Inside Interface - LAN - VLAN 122 - IP set to 172.18.1.13/20 - No gateway specified

So when a user is working from home, they connect in over the Sophos VPN client via an interface on the XG configured as a WAN interface and they receive an IP address on the 172.16 PC range. But if I ping anything on the 172.18 range from the VPN it does not work. At this stage, our core switch is not involved since the client gateway is no longer going to be 172.16.172.73 (core switch gateway address).

So I guess I need to configure a route on the Sophos XG that basically says anything on 172.16.0.0/16 can get to 172.18.0.0/20. Is there a way that I can do this and make it work over the VPN? I have tried, but I must be doing it wrong since I cannot ping anything on 172.18 from the VPN.



This thread was automatically locked due to age.
Parents
  • +1

    As the core is the default router for Telephone Network, he send the answer-packet to the directly connected 172.18.0.0/16 Network.
    I would try to use a different VPN-IP Range.

    Sorry ... donty realised the sophos is connected behind the PC-Network. Normally i have a dedicated transfer-network between core and Sophos.
    Yes a route may help.
    Simple create a static route: DES-IP 172.16.0.0/16 GW:172.16.172.73 interface: LAN
    BTW: how does your PC reach the telephony network? Are there routes at the PC's? If not ... do you enabe "proxy-arp" at the core?

  • 0 in reply to dirkkotte

    Ignore everything I just said. I think I was thinking into this far too much. It does work. The VPN settings file was set to only tunnel 172.16 traffic. I added 172.18 to it too and it works now. thank you so much for your reply and help thoughj :) 

Reply Children
No Data