Assistant with setting up MPLS

Hi,

What does the logviewer show when you try to connect between sites?

which version of XG are you running?
ian

a packet capture shows me traffic is being sent out of the MPLS port on the Sophos, but I am not getting a response. At current I have deleted all my routes etc.. to start from scratch (with some advice).They are running XG v18 Mr4

Hi,do you have access to them mpls router to see if it is routing the traffic correctly?
ian

No it is supplied by the ISP. Usually we get provided a straight through link from our usual provider, in which I configure a port on either device, from either LAN, then I configure a route and advanced firewall bypass and its all good. But I am not familiar with this providers method.

I am going to try again this evening to put the routes in place and gather some info as they are working over IPSEC at the moment.

I aim to add a route on site A (left of picture):

DEST: 10.0.1.1/24

Gateway 172.16.11.1

interface: 172.16.11.2

Then do the similar on the device at site B, would that make sense?

Hello there,

Thank you for contacting the Sophos Community!

I would recommend you terminate the MPLS in the XG. 

If you do drop-packet capture do see traffic being dropped by the XG?

console> drop-packet-capture host x.x.x.x (x.x.x.x IP of one of the hosts)

Is the MPLS port in the XG configured as LAN or WAN?

Regards,

Hi Emma, 

The Circuit is provided by the ISP and we get a port on their CPE router for the MPLS, which I have connected to the Sophos and configured the port on the LAN zone. I can communicate from a device on SITEA LAN to the Sophos MPLS port at SITEB but putting in the following route and enabled MASQ on the LAN to LAN NAT rule.

Destination: 172.16.10.0/24

gateway: 172.16.11.1

interface: 172.16.11.2

But if I create the following route:

Destination: 10.0.1.0/24

gateway: 172.16.11.1

interface: 172.16.11.2

I cannot see the traffic being pushed out of the MPLS port via packet capture. 

I'll try what you mentioned either this evening or tomorrow evening. 

Thank you

We have set this up sucessfully. With a) internet breakout at the MPLS Provider and b) with dedicated internet breakout. And c) with default route 0.0.0.0 and breakout on another site. On the central site basically like the setup on the picture: Terminating MPLS on a router/switch that is connected to the firewall.

You need to set the proper static routes. You need also to define the policies (setting up explicit deny rules on both sides + putting on logging and traceroute from both sides should help).

You also need to be sure that the local networks are actually transmitted through the MPLS (ask your provider).

Thank you for the response. Would you say putting the following routes in place are correct in my setup above (with only 2 sites)

SITEA: 

Destination: 10.0.1.0/24

gateway: 172.16.11.1

interface: 172.16.11.2

SITEB:

Destination: 10.0.0.0/24

gateway: 172.16.10.1

interface: 172.16.10.2

Then have a LAN to LAN firewall rule for the local subnets 10.0.0.0/24 and 10.0.1.0/24?

Do I need to do any specific NAT rule or MASQ?

Hi notapplemaxwindows1,

Check out the following Community thread for a more detailed explanation: https://community.sophos.com/xg-firewall/f/discussions/74536/routing-with-mpls

Thanks,

Thanks Harsh, I think my next steps will be try another route. I am going to create a new MPLS Zone and assign that to my MPLS port. I will then use SD-WAN policy route to route my traffic over the MPLS (will do the same on both ends) I will enable reply packet's for this and put the necessary rules in place. What are your thought on this method? I will then create a gateway for IPSEC and add that as the secondary.