Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10408 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No internet connectivity if ISP router in DMZ

MattColford

Been running into this issue with the XG series. Basically, the ISP router has the ability to go into advanced DMZ, giving the specified device the WAN address. On the SG series, this worked like a charm, the WAN link gets the public IP, internet works, and also can also still access the ISP routers admin page.

 

With the XG's, the firewall will get the public IP as expected, however that's where it stops. Internet doesnt come up, and cannot access the ISP routers admin page. I'm guessing it may be a manual route I need to make, however i'm not sure where i'd need to do it. If I give the WAN port an alias on the DHCP scope from the ISP modem, i'm able to get to the admin page. Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Matt,

    Show us the configuration from Network | Interface | DMZ. Also, show us an inside picture of WAN Link Manager.

    Thanks

  • 0 in reply to sachingurung

    See attached pictures. Sorry for phone quality. Im still thinking it is some sort of route issue, but not sure what it could be. The SG-series just worked in the same situations. My thought is that the XG doesnt realize there is a hop in between when it gets the public address.

  • 0 in reply to MattColford

    Matt,

    the third leg of the router is connected to XG WAN interface. What is the IP of that NIC on Router Side?

    Router cannot have interface without IP address.

    Thanks

  • 0 in reply to lferrara

    Sorry may be my bad diagram skills. The connection is just two connections on the router, goes like

     

    Internet ---- Router --- XG Firewall

     

    So the internet goes into the Router "WAN" port, then from one of the LAN ports on the router it goes into the XG firewall. That little pop out on the router in the picture was just a description of the routers config. So the WAN is the public address, and the LAN port that the XG connects to has the local 1.254 address. Like I mentioned in previous post, if I have the same scenario/ISP router with an SG firewall this all will work right away without any extra configuration on the SG WAN interface. So either something changed in the XG series and this scenario just wont work anymore (I hope not) or there is an additional step that i need to manually do that I did not need to do on the SG series. 

Reply
  • 0 in reply to lferrara

    Sorry may be my bad diagram skills. The connection is just two connections on the router, goes like

     

    Internet ---- Router --- XG Firewall

     

    So the internet goes into the Router "WAN" port, then from one of the LAN ports on the router it goes into the XG firewall. That little pop out on the router in the picture was just a description of the routers config. So the WAN is the public address, and the LAN port that the XG connects to has the local 1.254 address. Like I mentioned in previous post, if I have the same scenario/ISP router with an SG firewall this all will work right away without any extra configuration on the SG WAN interface. So either something changed in the XG series and this scenario just wont work anymore (I hope not) or there is an additional step that i need to manually do that I did not need to do on the SG series. 

Children
  • 0 in reply to MattColford

    From the screenshot, you configured a WAN ip address on your XG wan interface.

    Create a bridge on your XG using LAN and WAN interfaces and put a 192.168.1.x on that bridge.

    Create a firewall rule where you allow traffic from LAN to WAN and you should be ok.

    Thanks

  • 0 in reply to lferrara

    I got a better fix today, still wish it would be more streamlined like the SG but this works better than my initial resolution.

     

    - Put Port 2 into the DMZ zone. Port 2 will get the public IP but no gateway

    - Under static routes, create a unicast route for gateway of last resort, 0.0.0.0 0.0.0.0 over port 2

    - All services work, admin/user portal work externally without issue