Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10406 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No internet connectivity if ISP router in DMZ

MattColford

Been running into this issue with the XG series. Basically, the ISP router has the ability to go into advanced DMZ, giving the specified device the WAN address. On the SG series, this worked like a charm, the WAN link gets the public IP, internet works, and also can also still access the ISP routers admin page.

 

With the XG's, the firewall will get the public IP as expected, however that's where it stops. Internet doesnt come up, and cannot access the ISP routers admin page. I'm guessing it may be a manual route I need to make, however i'm not sure where i'd need to do it. If I give the WAN port an alias on the DHCP scope from the ISP modem, i'm able to get to the admin page. Any ideas?



This thread was automatically locked due to age.
  • 0

    Matt,

    please provide us more info about your config. A network diagram will help us.

    Thanks

  • 0 in reply to lferrara

     

    Above is the setup that always worked with the SG-series. ISP modem gets a dynamic public IP and has Advanced DMZ enabled with the WAN port MAC assigned. On the XG, it is receiving the Public WAN via DHCP, however it cannot access internet, ping gateway, etc. It also cannot access the ISP modem's admin page at 192.168.1.254. If I give the WAN port an alias IP in the ISP modems LAN scope, I can then access the modem admin page however internet still remains down.

    This is the workaround. ISP modem config remains the same however I statically assign an IP in the ISP modems LAN scope to the XG's WAN port and use the ISP modem's LAN IP as the default gateway. Immediately internet begins working, however cannot access the admin portal, user portal, or SSL VPN externally unless I forward the needed ports from the ISP modem. I can access the ISP modems admin page as well.

    Same scenario but with an SG firewall. The SG gets the public address via DHCP from the ISP modem. Can access the internet without issue, additionally the admin and user portal and SSL VPN work without needing to port forward. I can also still access 192.168.1.254 from inside the SG firewall's LAN.

     

    The only thing I can guess is that the SG-series transparently does something with routing tables that the XG doesn't.

  • 0

    Hi Matt,

    Show us the configuration from Network | Interface | DMZ. Also, show us an inside picture of WAN Link Manager.

    Thanks

  • 0 in reply to sachingurung

    See attached pictures. Sorry for phone quality. Im still thinking it is some sort of route issue, but not sure what it could be. The SG-series just worked in the same situations. My thought is that the XG doesnt realize there is a hop in between when it gets the public address.

  • 0 in reply to MattColford

    Matt,

    the third leg of the router is connected to XG WAN interface. What is the IP of that NIC on Router Side?

    Router cannot have interface without IP address.

    Thanks

  • 0 in reply to lferrara

    Sorry may be my bad diagram skills. The connection is just two connections on the router, goes like

     

    Internet ---- Router --- XG Firewall

     

    So the internet goes into the Router "WAN" port, then from one of the LAN ports on the router it goes into the XG firewall. That little pop out on the router in the picture was just a description of the routers config. So the WAN is the public address, and the LAN port that the XG connects to has the local 1.254 address. Like I mentioned in previous post, if I have the same scenario/ISP router with an SG firewall this all will work right away without any extra configuration on the SG WAN interface. So either something changed in the XG series and this scenario just wont work anymore (I hope not) or there is an additional step that i need to manually do that I did not need to do on the SG series. 

  • 0 in reply to MattColford

    From the screenshot, you configured a WAN ip address on your XG wan interface.

    Create a bridge on your XG using LAN and WAN interfaces and put a 192.168.1.x on that bridge.

    Create a firewall rule where you allow traffic from LAN to WAN and you should be ok.

    Thanks

  • 0 in reply to lferrara

    I got a better fix today, still wish it would be more streamlined like the SG but this works better than my initial resolution.

     

    - Put Port 2 into the DMZ zone. Port 2 will get the public IP but no gateway

    - Under static routes, create a unicast route for gateway of last resort, 0.0.0.0 0.0.0.0 over port 2

    - All services work, admin/user portal work externally without issue