Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 32148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG (Home Edition) - Unable to define LAN Gateway IP Address - To route to internal subnets.

Peter Mann

Hello All,

I have Sophos XG 'Home' edition setup in a home environment. I have retained the same default internal LAN IP address 172.16.16.16/24. From devices connected to this this subnet, I can successfully route out to the Internet.

However, I also desire to access the Internet from other connected subnets accessible via the LAN Interface. From the Sophos LAN Interface I'm assuming that I need to specify the 'Gateway IP' so that I may route to these other subnets.

However, I can't add a default gateway IP. Please see screenshot. This field is not editable. Is this a restriction with the 'Home' Edition? Any help would be much appreciated.



This thread was automatically locked due to age.
  • +1

    Peter,

    the XG receives the packet from the remote networks that it does not kwow and forward the reply traffic to internet. In order to inform the XG of these networks, you have to add static routing inside Routing Menu > Unicast Routing where you add the destination network, the gateway that knows that network and the XG port used (in your case port1).

    Regards,

  • 0

    Hello Peter, 

    In addition to what Luk has suggested, you can also bind an Alias IP to the LAN Interface if you do not want to create static routes. 

    In my setup, I have taken one IP from the other subnets connected to my LAN interface and created a LAN - LAN rule (for Desitnation subnet) with MASQ set to on, please see the screenshot below.

     

     

    Regards,

  • 0 in reply to lferrara

    Hello lferrara,

    Thank you providing a suggestion. I forgot to mention that I had already defined a static route. Please see screenshot:

    In addition, when using the diagnostics function, I can successfully traceroute to this subnet, via the LAN1 gateway:

     

    However, I still cant access the Internet (through the Sophos XG) from this src subnet (192.168.20.0/24)

    I've also provided full source (ANY) access on the FW rules.

    Any further comments or suggested troubleshooting steps would be appreciated.

     

     

     

  • 0 in reply to varunparikh

    Hello varunparikh ,

    Many thank for your suggestion also. However, I would rather use static routing in this scenario.

    However, I may need to use an 'Alias IP' if I cant get it working.

    Thanks and regards,

    Peter.

  • 0 in reply to Peter Mann

    Peter,

    Can you share screenshots of your policy rule?

    Thanks

  • 0 in reply to lferrara

    Hello Luk,

    Please find attached below. Hopefully this is the screenshot that you're referring to:

  • 0 in reply to Peter Mann

    Hello Peter, 

    could you please let me know

    1. where 172.16.16.254 is located? 

    2. What is the gateway of your PCs in the 192.168.20.0/24 subnet?

  • 0 in reply to varunparikh

    Hello,

    The IP address 172.16.16.254 is a Layer-3 interface (defined on a router) that is accessible from the Sophos LAN interface. Hence I have a static route pointing to this address to reach other 'Internal' subnets.

    The gateway for PCs on 192.168.20.0/24 is 192.168.20.254 (which incidentally is also defined on the same internal router).

    I hope that helps explain the setup.

    Thanks and regards.

  • 0 in reply to Peter Mann

    Hello again Peter, 

    As I understand, PCs and the routers are connected to the same Interface (Sophos LAN Interface), through a switch? Are the routers and the PCs connected to same switch or different ones?

    I can see an asymmetric routing issue if they are on the same switch, as when a PC in 192.168.20.0 subnet initiates traffic, it will send to its gateway (20.254), which if in the same switch, does not reach the Sophos LAN interface because they are in the same broadcast domain. 

    Also, the static routing you have configured on the Sophos Firewall is destination based static route, which means when any traffic received by the Sophos firewall (destination 192.168.20.0) will be routed as you have specified, but to participate in routing, Sophos firewall needs to be a gateway. 

    Hope this clears a bit of confusion. It would be nice if you could share a small diagram.

    Regards,