multiple LAN ranges on same interface

Hi Marc, Thanks for reaching out to Sophos Community.

If the network range 10.0.0.0/24  isn’t configured on any of the firewall interfaces then you can add a static route 

But it's recommended to configure the same network on an Alias IP and add a LAN to LAN rule to allow communication between these hosts.

Also, there's a possibility if the Gateway isn’t defined for 10.0.0.0/24 network then the traffic might not even hit XG and would rather be routed through the defined gateway.

Thanks for the answer DeveshM

Setting up a static route didn't help, so I followed your recommendation to configure an Alias IP and a LAN to LAN rule. 

That didn't work either. Maybe I didn't setup the rule correctly, can you give me an example ?

Marc

Thanks for the answer DeveshM

Setting up a static route didn't help, so I followed your recommendation to configure an Alias IP and a LAN to LAN rule. 

That didn't work either. Maybe I didn't setup the rule correctly, can you give me an example ?

Marc

Is there anyone that can help me ?

My knowledge of doing this with an XG is limited but in the absence of any other responses I will add these comments and suggestions.

Static route would not work. If the XG doesn't have an IP in the 10.0.0.0 subnet, there is not way for it to discover hosts and know how to route the traffic.

What you are trying to do with the IP alias, is hairpin traffic - traffic going in and then back out of the same interface. Have a search for hairpin NAT in the XG section and you may be able to get this to work. I've set one up but it isn't the easiest of things to do if you don't have a good understanding of networking.

What I don't understand from the details you have supplied is why you don't just setup a new LAN interface on the XG with a 10.0.0.0/24 address. This would be much simpler and a lot easier to manage traffic between the two subnets going forward.

Thanks JasP, 

The 10.0.0.0/24 range is the range used by the cluster, the 192.168.1.0/24 range is the range where the virtual servers are in. There is no physical difference.

Can I just plug in another cable to the (unmanaged) switch and use another LAN interface on the XG without messing things up ?

I would prefer to go that route but otherwise I'll look for "hairpin traffic".

Forget the hairpin it is not reliable and very difficult to get work on internal networks.

ian

It will work fine.

It is not the 'proper' way to do things because it doesn't establish any security boundary between the two subnets. So, for example, a user with a workstation in the 192 subnet could give their workstation an additional IP address in the 10 subnet and be able to access the cluster. Normally you would setup separate VLANs for each subnet on the switch. Even 'unmanaged'  switches sometimes have the ability to setup VLANs - depends on what your definition of 'unmaneged' is! If this is a commercial setup then it should be secured with VLANs. If it is a home lab then anything goes (although it is still good to do things the right way).

I've been giving it a bit of further thought and I'm not even sure a hairpin NAT will work in your situation. Typically it is used where you want to bounce back internal traffic that is destined for your public IP. So the traffic would go workstation->XG LAN->XG WAN->XG LAN->workstation. I don't know if the XG hairpin would allow an in and out directly on the same LAN interface (missing out bouncing it off the WAN interface). Maybe someone with chime in with an answer (I don't have time to try it ATM).

I couldn’t get it to work.

ian

I connected a cable, setup the port and create the following rule. But still no acces to the 10.0.0.0 range.

Rule

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "#Port1 " and " #Port5" networks

Source & schedule

Source networks and devices : #Port1,#Port5
During scheduled time : All the time

Destination and services

Destination networks : #Port1,#Port5
Services : Any

Exclusions

Source zones :
Source networks and devices :
Destination networks :
Destination networks :
Services :

Hi,

you will need to change the port to a network name/24. A port is1 IP address only.

Ian

No that doesn't work either. It shouldn't be this hard to figure out.

Rule

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.110.0 " and " 10.0.0.0" networks, then apply log connections

Source & schedule

Source networks and devices : 192.168.110.0,10.0.0.0
During scheduled time : All the time

Destination and services

Destination networks : 192.168.110.0,10.0.0.0
Services : Any

Start with the basics and make sure you can ping both subnets from the XG. At least you then know your basic networking is working.

Being comparatively new to XG, and having not tried this before, I'm not sure if you need a firewall rule at all. For instance, on Cisco firewalls, if the NICs are in the same zone then they will allow all traffic between the zones unless you setup a rule to block. As both your NICs are in the LAN zone, you may not need a rule at all, until you get to the stage of wanting to restrict what can pass between them. I don't know if this true for XG, but you could try just disabling your rule and seeing if it works (after you have checked pings from XG work).

I presume you haven't setup any static routes for this. If you have delete them as you shouldn't need any as both subnets are local to the XG.

You're right, this shouldn't be hard to setup!