Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 20010 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup WAN on the same subnet of LAN

ITA_Fabio

Hi everyone,

I've start to learn how to use and implement Sophos XG firewall. As long as some months ago my network was quite simple: 2 offices connected via MPLS links. Now I've to implement some changes and I ask you some help.

The first step is that we have added a new small branch office and in the main one we have a new FTTH link (not part of the MPLS). To keep it simple the new office has been equipped with a MPLS link but without internet exit (so only traffic to intranet resources and other offices shares).

To manage the new ftth and existing MPLS line I'm trying to use XG firewall. The first "problem" is about LAN ip range: the mpls ips of the main office is on 10.7.68.0/24 subnet, the clients obtain ip from 10.7.68.100 to 10.7.68.199. There is a virtual ip, 10.7.68.1, that mask the ip of main mpls line (10.7.68.253) and the backup line (10.7.68.254). So I will have XG box with lan ip as 10.7.68.2 and WAN2 as 10.7.68.1 (WAN1 is a static ip from isp of ftth). How can I handle that lan and wan are on the same subnet? it's possible?

The second problem is on how to give internet to the secondary branch office. The idea is to implement a VPN tunnel from a Zywall to Sophos XG and some policy rules to manage traffic from and to branch office subnet (10.11.100.0/24). Linked to this problem I know there is another one: the presence of two different router in the same subnet and the "flow" of data packet (if I'm not wrong it should be called "triangle route").

I hope to have explained in sufficient detail what I intend to achieve. I attach a diagram of this network. Every suggestion will be appreciated!!

 

Thank's

Fabio



This thread was automatically locked due to age.
  • 0

    Fabio,

    if you need same ip address on both LAN and WAN, you need to configure your XG in bridge mode. The problem is which IP default gateway LAN users will use.

    For the other question, can you be more specific?

    Thanks

  • 0 in reply to lferrara

    Hi Luk, thank you for the replay!

    The bridge mode is something that I never used, but I'll study on it. It's all ok to set it in bridge mode with 2 WANs? The clients on LAN will get sophos xg as default gateway. On the XG appliance I think I'll set both WAN links as active, but the non-mpls FTTH will be the main one and I'll set the MPLS one with some policy rules to redirect traffic to specific sites on that route.

    For the second question the point is: how should I configure the Sophos to give internet to the 2nd branch office? it's VPN + policy rules the best ways? Or I don't need VPN just some specific rules in policies? Hope to had explain it better now, let me know if I hadn't!

     

    Thnak you,
    Fabio

  • 0 in reply to ITA_Fabio

    Fabio,

    for the first question, you cannot use XG as default gateway if it is configured as bridge. XG will act as a transparent bridge (layer 2 and not layer 3). So the best thing you can do is to configure XG in gateway mode and ask your ISP to change the 2 Internal LAN Router IP to something else that is not used in your network.

    For the second question, configure a S2S VPN and create VPN to Internet firewall rules on XG. On Zywall, make sure to route all internet traffic to S2S tunnel.

    Regards

  • 0 in reply to lferrara

    mmmmmm, ok but the pure "bridge mode" it's too limit for my needs (I can not have dual WAN, S2S vpn). What about mixed mode? Could be the right way? Otherway I could consider to totally change the internal ips of my lan to not collide with the mpls (but i really don't know if there are some issues with the server...).

    for the second point it's ll clear and I will try it this evening or tomorrow!

     

    Thank's!
    Fabio

  • 0 in reply to ITA_Fabio

    Fabio,

    go for a true routing mode, so LAN, WAN1 and WAN2. Change the IP addresses.

    Regards