Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Subscribers 28 subscribers
  • Views 3077 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

multiple LAN ranges on same interface

Marc Van der Smissen

Hi there. Newbie here. I don't get it.

I have two ip ranges in my network 10.0.0.0/24 and 192.168.1.0/24

I've setup the XG210 with the 192.168.1.0 range as LAN and everything works fine except I can't reach the 10.0.0.0 range from 192.168.1.0 range.

How can I remedy this ?

Thanks, Marc



This thread was automatically locked due to age.
  • 0 in reply to Marc Van der Smissen

    No that doesn't work either. It shouldn't be this hard to figure out.

    Rule

    Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.110.0 " and " 10.0.0.0" networks, then apply log connections

    Source & schedule
    LAN

    Source networks and devices : 192.168.110.0,10.0.0.0
    During scheduled time : All the time

    Destination and services
    LAN

    Destination networks : 192.168.110.0,10.0.0.0
    Services : Any

  • 0 in reply to Marc Van der Smissen

    Start with the basics and make sure you can ping both subnets from the XG. At least you then know your basic networking is working.

    Being comparatively new to XG, and having not tried this before, I'm not sure if you need a firewall rule at all. For instance, on Cisco firewalls, if the NICs are in the same zone then they will allow all traffic between the zones unless you setup a rule to block. As both your NICs are in the LAN zone, you may not need a rule at all, until you get to the stage of wanting to restrict what can pass between them. I don't know if this true for XG, but you could try just disabling your rule and seeing if it works (after you have checked pings from XG work).

    I presume you haven't setup any static routes for this. If you have delete them as you shouldn't need any as both subnets are local to the XG.

    You're right, this shouldn't be hard to setup!

  • 0 in reply to Marc Van der Smissen

    No routes are setup.

    With rule enabled, ping to both networks from the XG works. But ping doesn't work from the 192 range to the 10 range.

    With rule disabled, ping to both networks from the XG works. But ping doesn't work from the 192 range to the 10 range.

    Actually the log file shows lines allowing RDP from 192 to 10 range.

    But the rule has no traffic in but it has traffic out.

  • 0 in reply to Marc Van der Smissen

    Check for typos on the XG and the NIC settings.

    I notice in an earlier post you referred to 192.168.1.0 but in the rules you have 192.168.110.0 (I suspect the earlier post was a typo).

    Check the default gateways on the NICs you are testing between. Both should be set to the appropriate XG LAN IP. Without the correct gatesways on the NICs, the traffic won't route.

    Check firewalls on the endpoints. If it is safe to do so, temporarily disable them to be 100% sure.

    Did you try any pings from 10 to 192?

    Assuming the subnets are correct in your rule, it looks fine. As I said, I'm not sure if it is necessary, but if it is, it should allow all traffic between the subnets (unless I've missed something!)

  • +1 in reply to Marc Van der Smissen

    It works now. Apparently you also need a MASQ rule.

    So to recap. 

    To connect 2 LAN ranges you need to connect 2 cables to 2 different interface ports and set them up correspondingly.

    Then you need a rule like so:

    Accept any service going to "LAN" zone, when in "LAN" zone, and coming from "192.168.1.0 " and " 10.0.0.0" networks

    Source: LAN

    Source networks and devices : 192.168.1.0,10.0.0.0

    Destination: LAN

    Destination networks : 192.168.1.0,10.0.0.0

    Services : Any

    And you also need to add a linked NAT rule where the 

    Translated source (SNAT): MASQ

     

    I hope this helps someone, sometime :-)

    ***********************************************************************************************************

    EDIT: Please read JasP's reply herunder. I configured my 10.0.0.0 interface wrong. The IP address I had to fill in should have been the gateway address.

    Once I changed that, I could remove the MASQ rule

    ***********************************************************************************************************

  • +1 in reply to Marc Van der Smissen

    I'm glad you got it working but adding a MASQ rule should be unnecessary. There would normally be no need to NAT the traffic between the two interfaces, straight routing is all that should be required.

    I don't like to post a definitive answer unless I'm 100% sure and there were a couple of things I was unsure about so I dug out the XG we use for lab work and set it up with a dumb switch and a couple of laptops on different subnets. I got everything working without having to NAT the traffic but confirmed you do have to setup a firewall rule to allow the traffic between the two XG network connections even though they are in the same zone.

    I used Port 1 and 4 on the XG, IP 172.16.16.16 and 10.10.10.16. Subnet throughout this post is 255.255.255.0

    The first laptop had IP of 172.16.16.100/24, gateway 172.16.16.16. Second laptop had IP of 10.10.10.100/24, gateway 10.10.10.16

    Firewall rule:

    Both the XG ports and the two laptops were all plugged into one (very dumb, very cheap) switch.

    I disabled the firewalls on both the laptops just for the purposes of this test.

    With this setup, it was possible to ping each laptop from the other laptop and remote desktop from each laptop to the other laptop (no NAT required).

    @Marc Van der Smissen I suspect the reason you needed to MASQ NAT the traffic to get it to work is because you are missing a default gateway on one of the endpoint NICs or you have multiple NICs and more than one of them has a default gateway. The inability to route without a MASQed NAT looks like a gateway issue on one (or more) of the endpoints.