Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 9829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple subnets on a single WAN interface and outgoing NAT

EddyMinet

I have 2 public subnets on a WAN interface, say 1.1.1.0/29 and 2.2.2.0/29.

I configured the first one as the primary address 1.1.1.2/29 and gateway 1.1.1.1.

I configured an alias on the port with address 2.2.2.2/29

In a firewall rule, LAN to WAN I want to use the 2.2.2.2 address. The problem is that I actually only have one WAN Gateway for the port. In the firewall rule UI if I try to configure an new 'Gateway Host' to set the primary gateway as '2.2.2.1' I get the following error : "Interface IP and gateway IP address must be in the same network". 

The problem is that in the port list I only have the port with '1.1.1.2' address, I cannot select the alias port (Portname:0).

Is there a workaround ?



This thread was automatically locked due to age.
  • +1

    Eddy,

    Alias is a way to add additional IP (on the same subnet) on a physical interface. You cannot add multiple different IP on the same physical interfaces, unless you use VLAN with different VLAN ID.

    This is a network limitation and not XG.

  • 0

    There's probably no need to specify 2nd gateway (assuming it's just the same ISP router having both GW addresses)

    In LAN to WAN rule, don't use masquerading, but specify the alias IP as source

  • 0

    I tried this config first because it was configured as it on the previous (replaced) device (Zyxel Zywall) and it worked great.

    Here is the result of my tests :

    - You can put an alias address in different subnet/mask

    - When doing that, you can access from outside to the device on this address

    - You can use a translation with an ip in the alias subnet to send packets out

    BUT if you do that, the primary adress will stop working, the ping test in the gateway will put it down and make the gateway unusable.

    So, since I am on a virtual appliance and also the ISP, I configured a second test :

    - I put the 2 subnetsin differents interfaces on the same vlan

    BUT if you do that and make a translation on the wrong interface, and due to load balancing, you can have a packet going out with wrong ip address on the wrong interface and you come to the same that first test.

    So, the only solution for me was to put the 2 subnet in to differents interfaces in 2 differents vlans.

    I admit that this case is particular.

  • 0 in reply to lferrara

    Hi lferrara,

    I'm in the same Eddy situation migrating from Stonesoft to XG330 and I think that your answer is not correct.

    Consider to have:
    ISP router with 1 nic and 2 ip configured on this nic 1.1.1.1 and 2.2.2.1 same MAC, subnets are 1.1.1.0/29 and 2.2.2.0/29.
    Firewall with 1 nic and 2 ip configured on this nic 1.1.1.2 and 2.2.2.2, same MAC, subnets list before.
    Switch with one port attached to firewall nic and one port attached to isp router nic, both ports configured as access port with VLan1 untagged.

    The firewall ip 1.1.1.2 can reach the ISP router ip 1.1.1.1 and the 2.2.2.2 can reach the 2.2.2.1 ip because it works on network Layer 2.

    Sorry but this is not a network limitation, this is an XG limitation.

    So in your opinion is there a workaround on Sophos in addition to use 2 different physical nics or vlan tags?

    Thanks in advance
    Alessandro

  • 0 in reply to Alessandro Favia

    Alessandro,

    It will work because you have same subset for both IP addresses.

     

    1.1.1.0/29 and 2.2.2.0/29.

  • 0 in reply to Vadym Orlyak

    Of course, it will works because at IP level they are on the same subnet, but I wanted to specify that it is possible to use different IP addressing (not visible each another) within the same VLan, that switching for hosts on the same subnet works and there are no network restrictions.

    Best Regards