Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 1990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect two branches directly (SITE A \ SITE B)

Xineo

Hi,

Thanks in advance for your help.

I am in this scenario:

Head Office:

2 Sophos XG in HA

We have different ZONES:

LAN -> 172.19.1.1. From 20 -> 220 IP for devices

DMZ -> Port 3 192.168.88.1. From 20-200 IP for devices

WIFI -> 193.108.1.1 From 20-200 Ip for devices

Technical -> 10.0.0.1 From 20-200 IP for devices.

Branch Office (Actually linked by IP SEC TUNNEL)

Same config but not same IP for sophos XG is 172.19.111.1

Now my provider will link this two sites with a VRRP connection dedicated. 10Gb fiber link. Is already done. PORT 12 of my SOPHOS XG 310 on both side

AND the provider also provide me a new WAN connection for my HEAD OFFICE and WAN for my branch office but this one will be on STANDBY.

So, i have question now:

1. : My Head Office will lost is WAN (internet) connection , and provider will activate the standby router on branch office how to redirect my trafic to WAN from my head office to WAN of my branch office to have internet?

2: The purpose of all this is to have same network on my Head Office and Branch Office. So can i have same servers with same IP address on both side. (Clusters of VM)

3: How to redirect DHCP request ?

Thanks for your help



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Xineo

    Hello Geremia,

    you cannot have the same IPs on both sites. You can have the same network, but not the same IPs.

    Having the "same network" on both sites needs a bridge between these different sites. As far as I understand you, you already have your ISP setting this up for you. Although a VRRP setup is a special form of routing.

    Better solution (even with a dedicated 10 GBit link) is doing a normal routing setup between two seperate networks, each one on each site. This would not need a VPN, if the link is already setup by your ISP as above.

    But to help you further, we would need far more info than you gave us here. At least a network diagram would help here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to jprusch

    This is our infrastructure.

    We have 2 scenarios (problems) and must be work after :

    1. ORANGE part: If our MAIN WAN failed our provider activate automatically the AUXILIARY WAN. (Not configured by us but our provider will.)

    1a. So main problem is DC(B) (green part) for accessing internet must pass through the BLESS connection and use DC (A) for accessing internet.

    1b. If Main WAN is unavailable, DC(A) (blue part) must pass through the BLESS connection and use DC (B) for accessing internet.

    Already did:

    A. Put our BLESS connection on WAN zone

    B. Made an IPSEC

    C. and work with WAN Link manager Active WAN/Backup WAN (seems to work)

    2. If it is possible i want to conserve network 172.16.0.0/16 on both side.

    2a. Because on LAN we have an hypervisor and we want to duplicate this one on DC(B) we cannot change IP of virtual machines.

    2b. if it is possible, we want to conserve 172.16.1.1 as a gateway. for same as 2a. we cannot change gateway of all virtual machines if there are a problem.

    Already did:

    Configuring NAT over a Site-to-Site IPsec VPN connection - Sophos (XG) Firewall

    A. Configure NAT INbound and NAT outbound using IPSEC but not working

    -> i think is because WAN Link manager put the BLESS connection like a backup gateway.

    3. DC(A) have  to communicate permanently with DC(B) for replication.

    3a. Our Hypervisor (DC(A) side) must send replica to our Hypervisor2 (DC(B) side)

    already did: 

    The point 2 is not working so not test that part

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?