Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 9831 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple subnets on a single WAN interface and outgoing NAT

EddyMinet

I have 2 public subnets on a WAN interface, say 1.1.1.0/29 and 2.2.2.0/29.

I configured the first one as the primary address 1.1.1.2/29 and gateway 1.1.1.1.

I configured an alias on the port with address 2.2.2.2/29

In a firewall rule, LAN to WAN I want to use the 2.2.2.2 address. The problem is that I actually only have one WAN Gateway for the port. In the firewall rule UI if I try to configure an new 'Gateway Host' to set the primary gateway as '2.2.2.1' I get the following error : "Interface IP and gateway IP address must be in the same network". 

The problem is that in the port list I only have the port with '1.1.1.2' address, I cannot select the alias port (Portname:0).

Is there a workaround ?



This thread was automatically locked due to age.
Parents
  • +1

    Eddy,

    Alias is a way to add additional IP (on the same subnet) on a physical interface. You cannot add multiple different IP on the same physical interfaces, unless you use VLAN with different VLAN ID.

    This is a network limitation and not XG.

Reply
  • +1

    Eddy,

    Alias is a way to add additional IP (on the same subnet) on a physical interface. You cannot add multiple different IP on the same physical interfaces, unless you use VLAN with different VLAN ID.

    This is a network limitation and not XG.

Children
  • 0 in reply to lferrara

    Hi lferrara,

    I'm in the same Eddy situation migrating from Stonesoft to XG330 and I think that your answer is not correct.

    Consider to have:
    ISP router with 1 nic and 2 ip configured on this nic 1.1.1.1 and 2.2.2.1 same MAC, subnets are 1.1.1.0/29 and 2.2.2.0/29.
    Firewall with 1 nic and 2 ip configured on this nic 1.1.1.2 and 2.2.2.2, same MAC, subnets list before.
    Switch with one port attached to firewall nic and one port attached to isp router nic, both ports configured as access port with VLan1 untagged.

    The firewall ip 1.1.1.2 can reach the ISP router ip 1.1.1.1 and the 2.2.2.2 can reach the 2.2.2.1 ip because it works on network Layer 2.

    Sorry but this is not a network limitation, this is an XG limitation.

    So in your opinion is there a workaround on Sophos in addition to use 2 different physical nics or vlan tags?

    Thanks in advance
    Alessandro

  • 0 in reply to Alessandro Favia

    Alessandro,

    It will work because you have same subset for both IP addresses.

     

    1.1.1.0/29 and 2.2.2.0/29.

  • 0 in reply to Vadym Orlyak

    Of course, it will works because at IP level they are on the same subnet, but I wanted to specify that it is possible to use different IP addressing (not visible each another) within the same VLan, that switching for hosts on the same subnet works and there are no network restrictions.

    Best Regards