Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED of two Virtual XG's: How to route traffic through Main-Side?

2k9

Hello,

I have two virtual sophos XG appliances connected through RED.

This works pretty well, and currently they are acting (per default) in Standard/Split configuration.

However, since security measurements become more and more important, we want to route the whole traffic of the Client Site through the Server Site, as in the picture below. Somehow I can't get that to work.

I double checked, and there seems to be no way to select operation modes of the RED tunnel when not using a physical RED device. 

Is there a way to get around this? I already searched a lot for a solution.

Facts:

-> There is no Windows DHCP Server on either side

-> The Local Network on the Server-Site is on a VLAN Interface

-> DHCP is the "build-in" from the XG. Would be a nice-to-have to get this to work at the Remote-Site, but this is not a requirement



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can add a static route on client-side with the Destination network as 0.0.0.0 with "head office RED interface" IP as a gateway and select RED interface of client-side.

    For example:

    RED interface IP of server-side: 10.10.10.1

    RED interface IP of client-side: 10.10.10.2

    You'll also need to configure a firewall rule at server-side to allow internet access to client-side network.

    Note: Ensure to have a small downtime before performing above activity to prevent any disruption.

  • 0 in reply to FormerMember

    Thank you. I had something similar in my mind, but the problem with this solution is that all networks behind the client-site would be affected by this. 
    Since there are other networks configured (which should not be routed through the server-site), this solution probably won't work, if I understand correctly. Any suggestion how to solve this? 

  • 0 in reply to 2k9

    There is no thing such as "Operation Mode" in RED site to Site. You simply use the RED protocol to build up a "long ethernet cable" between both sites. Everything else is up to you. You can use Routing (Static, or dynamic) or SD-WAN Policy based routing, as you like. Route the traffic like you want it to be. 

  • 0 in reply to LuCar Toni

    I may get it to work with SD-WAN-Routing and create a new Gateway which points to the RED-Interface Server-Site? 

  • +1 in reply to 2k9

    Yes. Simply route it to the other XG -

  • 0 in reply to LuCar Toni

    I think the missing piece in the puzzle was, that I saw just now that I am able to create a "virtual" WAN gateway just for routing. Thanks

  • FormerMember
    +1 FormerMember in reply to 2k9

    You'll need to configure SD-WAN policy to route specific network traffic over RED tunnel.

    Go to CONFIGURE > Routing > Gateways and add a gateway with "head office RED interface" IP as a gateway and select client-side RED interface.


    To route internet traffic for specific source networks go to CONFIGURE > Routing > SD-WAN policy route. Add a new IPv4 SD-WAN policy route with specific source networks, keep destination network as ANY and select "RED_Gateway" as a primary gateway.

  • 0 in reply to FormerMember

    already got it to work exactly like you suggested. thanks a lot!