multiple LAN ranges on same interface

Hi Marc, Thanks for reaching out to Sophos Community.

If the network range 10.0.0.0/24  isn’t configured on any of the firewall interfaces then you can add a static route 

But it's recommended to configure the same network on an Alias IP and add a LAN to LAN rule to allow communication between these hosts.

Also, there's a possibility if the Gateway isn’t defined for 10.0.0.0/24 network then the traffic might not even hit XG and would rather be routed through the defined gateway.

Thanks for the answer DeveshM

Setting up a static route didn't help, so I followed your recommendation to configure an Alias IP and a LAN to LAN rule. 

That didn't work either. Maybe I didn't setup the rule correctly, can you give me an example ?

Marc

Forget the hairpin it is not reliable and very difficult to get work on internal networks.

ian

It will work fine.

It is not the 'proper' way to do things because it doesn't establish any security boundary between the two subnets. So, for example, a user with a workstation in the 192 subnet could give their workstation an additional IP address in the 10 subnet and be able to access the cluster. Normally you would setup separate VLANs for each subnet on the switch. Even 'unmanaged'  switches sometimes have the ability to setup VLANs - depends on what your definition of 'unmaneged' is! If this is a commercial setup then it should be secured with VLANs. If it is a home lab then anything goes (although it is still good to do things the right way).

I've been giving it a bit of further thought and I'm not even sure a hairpin NAT will work in your situation. Typically it is used where you want to bounce back internal traffic that is destined for your public IP. So the traffic would go workstation->XG LAN->XG WAN->XG LAN->workstation. I don't know if the XG hairpin would allow an in and out directly on the same LAN interface (missing out bouncing it off the WAN interface). Maybe someone with chime in with an answer (I don't have time to try it ATM).

I couldn’t get it to work.

ian

I connected a cable, setup the port and create the following rule. But still no acces to the 10.0.0.0 range.

Rule

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "#Port1 " and " #Port5" networks

Source & schedule

Source networks and devices : #Port1,#Port5
During scheduled time : All the time

Destination and services

Destination networks : #Port1,#Port5
Services : Any

Exclusions

Source zones :
Source networks and devices :
Destination networks :
Destination networks :
Services :

Hi,

you will need to change the port to a network name/24. A port is1 IP address only.

Ian

No that doesn't work either. It shouldn't be this hard to figure out.

Rule

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.110.0 " and " 10.0.0.0" networks, then apply log connections

Source & schedule

Source networks and devices : 192.168.110.0,10.0.0.0
During scheduled time : All the time

Destination and services

Destination networks : 192.168.110.0,10.0.0.0
Services : Any

Start with the basics and make sure you can ping both subnets from the XG. At least you then know your basic networking is working.

Being comparatively new to XG, and having not tried this before, I'm not sure if you need a firewall rule at all. For instance, on Cisco firewalls, if the NICs are in the same zone then they will allow all traffic between the zones unless you setup a rule to block. As both your NICs are in the LAN zone, you may not need a rule at all, until you get to the stage of wanting to restrict what can pass between them. I don't know if this true for XG, but you could try just disabling your rule and seeing if it works (after you have checked pings from XG work).

I presume you haven't setup any static routes for this. If you have delete them as you shouldn't need any as both subnets are local to the XG.

You're right, this shouldn't be hard to setup!

No routes are setup.

With rule enabled, ping to both networks from the XG works. But ping doesn't work from the 192 range to the 10 range.

With rule disabled, ping to both networks from the XG works. But ping doesn't work from the 192 range to the 10 range.

Actually the log file shows lines allowing RDP from 192 to 10 range.

But the rule has no traffic in but it has traffic out.

Check for typos on the XG and the NIC settings.

I notice in an earlier post you referred to 192.168.1.0 but in the rules you have 192.168.110.0 (I suspect the earlier post was a typo).

Check the default gateways on the NICs you are testing between. Both should be set to the appropriate XG LAN IP. Without the correct gatesways on the NICs, the traffic won't route.

Check firewalls on the endpoints. If it is safe to do so, temporarily disable them to be 100% sure.

Did you try any pings from 10 to 192?

Assuming the subnets are correct in your rule, it looks fine. As I said, I'm not sure if it is necessary, but if it is, it should allow all traffic between the subnets (unless I've missed something!)

It works now. Apparently you also need a MASQ rule.

So to recap. 

To connect 2 LAN ranges you need to connect 2 cables to 2 different interface ports and set them up correspondingly.

Then you need a rule like so:

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.1.0 " and " 10.0.0.0" networks

Source: LAN

Source networks and devices : 192.168.1.0,10.0.0.0

Destination: LAN

Destination networks : 192.168.1.0,10.0.0.0

Services : Any

And you also need to add a linked NAT rule where the 

Translated source (SNAT): MASQ

I hope this helps someone, sometime :-)

***********************************************************************************************************

EDIT: Please read JasP's reply herunder. I configured my 10.0.0.0 interface wrong. The IP address I had to fill in should have been the gateway address.

Once I changed that, I could remove the MASQ rule

***********************************************************************************************************

It works now. Apparently you also need a MASQ rule.

So to recap. 

To connect 2 LAN ranges you need to connect 2 cables to 2 different interface ports and set them up correspondingly.

Then you need a rule like so:

Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.1.0 " and " 10.0.0.0" networks

Source: LAN

Source networks and devices : 192.168.1.0,10.0.0.0

Destination: LAN

Destination networks : 192.168.1.0,10.0.0.0

Services : Any

And you also need to add a linked NAT rule where the 

Translated source (SNAT): MASQ

I hope this helps someone, sometime :-)

***********************************************************************************************************

EDIT: Please read JasP's reply herunder. I configured my 10.0.0.0 interface wrong. The IP address I had to fill in should have been the gateway address.

Once I changed that, I could remove the MASQ rule

***********************************************************************************************************

I'm glad you got it working but adding a MASQ rule should be unnecessary. There would normally be no need to NAT the traffic between the two interfaces, straight routing is all that should be required.

I don't like to post a definitive answer unless I'm 100% sure and there were a couple of things I was unsure about so I dug out the XG we use for lab work and set it up with a dumb switch and a couple of laptops on different subnets. I got everything working without having to NAT the traffic but confirmed you do have to setup a firewall rule to allow the traffic between the two XG network connections even though they are in the same zone.

I used Port 1 and 4 on the XG, IP 172.16.16.16 and 10.10.10.16. Subnet throughout this post is 255.255.255.0

The first laptop had IP of 172.16.16.100/24, gateway 172.16.16.16. Second laptop had IP of 10.10.10.100/24, gateway 10.10.10.16

Firewall rule:

Both the XG ports and the two laptops were all plugged into one (very dumb, very cheap) switch.

I disabled the firewalls on both the laptops just for the purposes of this test.

With this setup, it was possible to ping each laptop from the other laptop and remote desktop from each laptop to the other laptop (no NAT required).

@Marc Van der Smissen I suspect the reason you needed to MASQ NAT the traffic to get it to work is because you are missing a default gateway on one of the endpoint NICs or you have multiple NICs and more than one of them has a default gateway. The inability to route without a MASQed NAT looks like a gateway issue on one (or more) of the endpoints.