Sophos XG (Home Edition) - Unable to define LAN Gateway IP Address - To route to internal subnets.

Peter,

the XG receives the packet from the remote networks that it does not kwow and forward the reply traffic to internet. In order to inform the XG of these networks, you have to add static routing inside Routing Menu > Unicast Routing where you add the destination network, the gateway that knows that network and the XG port used (in your case port1).

Regards,

Hello lferrara,

Thank you providing a suggestion. I forgot to mention that I had already defined a static route. Please see screenshot:

In addition, when using the diagnostics function, I can successfully traceroute to this subnet, via the LAN1 gateway:

However, I still cant access the Internet (through the Sophos XG) from this src subnet (192.168.20.0/24)

I've also provided full source (ANY) access on the FW rules.

Any further comments or suggested troubleshooting steps would be appreciated.

Peter,

Can you share screenshots of your policy rule?

Thanks

Peter,

Can you share screenshots of your policy rule?

Thanks

Hello Luk,

Please find attached below. Hopefully this is the screenshot that you're referring to:

and here's the web policy:

Hello Peter, 

could you please let me know

1. where 172.16.16.254 is located? 

2. What is the gateway of your PCs in the 192.168.20.0/24 subnet?

Hello,

The IP address 172.16.16.254 is a Layer-3 interface (defined on a router) that is accessible from the Sophos LAN interface. Hence I have a static route pointing to this address to reach other 'Internal' subnets.

The gateway for PCs on 192.168.20.0/24 is 192.168.20.254 (which incidentally is also defined on the same internal router).

I hope that helps explain the setup.

Thanks and regards.

Hello again Peter, 

As I understand, PCs and the routers are connected to the same Interface (Sophos LAN Interface), through a switch? Are the routers and the PCs connected to same switch or different ones?

I can see an asymmetric routing issue if they are on the same switch, as when a PC in 192.168.20.0 subnet initiates traffic, it will send to its gateway (20.254), which if in the same switch, does not reach the Sophos LAN interface because they are in the same broadcast domain. 

Also, the static routing you have configured on the Sophos Firewall is destination based static route, which means when any traffic received by the Sophos firewall (destination 192.168.20.0) will be routed as you have specified, but to participate in routing, Sophos firewall needs to be a gateway. 

Hope this clears a bit of confusion. It would be nice if you could share a small diagram.

Regards,

Peter,

Send me a pm and I will have a look.

Regards

PM sent with network topology diagram.

Thank you.