Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 15240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with multipe LAN interface

Toan Cao

Greetings,

I am trying some configuration on Firewall SophosXG, but I have not understood about some cases.

First, I configured like following diagram, it worked well:

In this diagram, I added 1 more LAN interface to port B and it is same subnet with interface on port A, but firewall was still working normally in this time. I do not understand why it has not looped?

Second, I configured like following diagram, with different vlans, it still worked normally:

But when I tried to following diagram, like diagram 2, but I did not connect the cable from switch to firewall, so subnet of vlan 192.168.2.0 was looped and it could not connect to the internet, other vlans still worked normally.

Please explain to me what did happened with each diagram above.

Thank you very much.



This thread was automatically locked due to age.
  • 0

    Thanks Toan for your test.

    Which are the ports declared as WAN members?

    Thanks

  • +1

    HI Toan, 

    For the first diagram, you may need to check if the communication is ongoing with each interface or only one interface. 

    First, we do not recommend you to configure the same network on 2 or more interface for any L3 device. The Arp entry of your switch will register with one interface, it will not have multiple interfaces. So it will operate as Load balancing, if you have two interfaces connected to the same switch then the ARP entry would be random and would choose whichever is the first in your network. For the same ARP entry, it would not point to the both interface. For this, you may need Static route or a Static ARP entry to point to the interface you wish to communicate with. 

    The second diagram is logical as the interface address of the Switch is 2.0 and 1.0 network so the ARP cache will have two entries one for port B & Port A connected respectively. So it would work individually and would operate as per your expectation. 

    The 3rd Diagram is regarding the issue you have faced while the cable is disconnected with Port B, this is basically a Kernal route added as its a directly connected interface. Route priority is 0 which is the highest.  If the network is 2.0 on Port B and disconnected the traffic will not be routed to Port A. 

    Suggestion: You may use Alias or VLAN on a single interface and if you wish to use 2 LAN connection to increase the bandwidth then you may configure LAG on both ends

    Hope this would clear your doubt.

     

  • 0 in reply to lferrara

    Hi lferrara,

    In above diagram, I named port A & B as ports in LAN zone and the ports declared as WAN members belongs to WAN zone.

    Thanks

  • 0 in reply to Aditya Patel

    Hi Aditya Patel,

    First, thanks for your answer, it helps me a lot.

    For the first diagram, I used static route to point traffic to each interface, but the communication is ongoing with only one interface (still on port A).

    But in this case, I do not understand why we can assign same subnet ip to 2 or more interfaces on the Sophos firewall, as I have known that in some orther devices (Router, SW L3) it will be overlaped. So if it is possible on Sophos firewall, I want to know when we use this case?

    Thank you

  • 0 in reply to Toan Cao

    Hi Toan, 

    The administrative distance for Static Route is 1 and for the connected interface is 0. The kernel route will have higher priority than the static or dynamic. As for the configurable part, you may configure both interfaces with the same network but we do not conduct address check unless the gateway is of the different subnet, which is applicable for WAN . As for LAN ,DMZ, and Custom, such checks are not needed.

    The administrative distance on XG at the moment is not functional when you add a different static route with a different priority value and should be fixed in later versions, also you may use Policy Route to failover condition and create your Switch interface as a Gateway. But the principle of an L3 device would remain the same unless there are such checks that would prevent you to do such settings.