Site2Site Tunnel with unexpected gateway

as 10.10.11.1 and 10.10.10.1 is the same interface ... the Firewall use the first IP of used interface to answer the request.

Should not be a problem.

... but is not a good design.

Do you have some problems? Do you mask the additional subnet too?

Hi, thanks for answer. You said bad design? How to improof?

What means "Do you mask the additional subnet too?"

Sophos Port is a VLAN Port. So VLAN per Port can only be assigned once.

Greetings from Berlin ;-)

Ok, Gernot, your setup very much depends on how the rest of yor uplinks are configured. You expect a VLAN to be routed just because it is running on the same physical adapter. This is normally not working. That second net has to be routed to „know“ the way to your remote site. Since we don‘t know how you setup your router, cabling, switches with VLANs, we would need a diagram to help you further.

Hi,

thanks for help.

I don't expect routing because of same Adapter.

Routing is working fine to the internet.

Routing is known because I added my new network to the site2site tunnel.

So my diagram:

1. Site: 172.30.1.0/24 <-> 2. site: 10.10.10.0/29 and 10.10.11.0/29

2. site details: one VLAN network adapter containing 10.10.10.1 as IP and 10.10.11.1 as alias on same VLAN adapter. Both networks are connected using same VLAN.

That helps?

I thing cabling is not needed at this environment.

Btw: Changing the 2nd network to an own VLAN (and so an own Adapter), it works. Did this lots of time. If there is no way for my constellation I will change to that config.

Hello Gernot,

let me try to explain what I see at your setup: Your two IP networks 10.10.10.0/29 and 10.10.11.0/29 are defined on the same adapter.

Despite this fact, they are two distinct networks which don't know about each other, as long as you do not have a L3-gateway, that has a connection to both nets. Maybe you achieved this, when using two physical adapters, I don't know from your description.

So VLAN is Layer 2, the packets are transported, if this VLAN is allowed on a certain switch port and so on. BUT this has nothing to do with IP, which is Layer 3 and has to have a valid routing entry to find it's way to the target network 172.30.1.0/24.

So you have an IPsec tunnel which is connected (bound) to the primary IP address of that adapter, which is 10.10.10.1.

Even if you define the second net 10.10.11.0/29 in your IPsec tunnel definition, this does not get routed "automagically".

Hope this helps a bit.

Hi Phillip,

thanks for detailed help.

first and most important Question: How to go around this?

2nd: I never "bind" an adapter to my site2site tunnel. I simply add a local network. What do you mean with "binding an adapter". Sophos knows its network and gateways and routing because of the settings in "network" and/or "Routing". Do you mean the alias will not be able to act as a gateway? If this would be true, my new network would not be able to connect to the internet but it is connecting to goole like a charme ;-). so te alias is acting as a gateway.

3rd thing: I know that VLAN adapter is layer 2 (like physical adapter). But using 2 different physical this constellation is working fine.

So conclusion for me: An alias is working a little it as a gateway but not a fully one. What brings me to no 1: How to solve this if you need to use VLAN tagging?

Best from Berlin

Gernot

Hi Gernot,

do you add a 2nd IP on an existing network (not great design) or an additional VLAN to a port (good design)?

To use the internet from new subnet, these must be included within masquerading or default-SNAT Rule.

Greetings from Potsdam

PS: offensichtlich wurde das nicht abgeschickt und lag ein paar Tage als Entwurf rum. Sorry.

GernotMeyer said:

How to solve this if you need to use VLAN tagging?

Build a separate L2 network (VLAN) for every L3 Network (Subnet)