Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 13639 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow ip range in one VLAN to use gateway in other VLAN

Yves Laenen

Hello

 

I just (partially) installed an XG105. Most things work correctly but I'm having trouble getting a policy routing rule to work.

 

This is the situation/problem

VLAN10 (10.10.0.0 / 255.255.0.0)
VLAN40 (10.40.0.0 / 255.255.225.224) range determined by larger VPN network (10.131.17.209(GW) - 10.131.17.221)

VLAN10 are normal clients
VLAN40 is VOIP telephony and needed for some applications


I would like to allow 2 clients in VLAN10 to be able, when using those application, to use GW 10.131.17.109. In the Zyxel I had a policy routing rule like this:

Incoming: VLAN10
source range: 10.10.199.1-10.10.199.5
destination: 10.131.16.3 (application server on the VPN network)
service: any
source port: any 
Next-hop: VLAN40
SNAT: outgoing interface

I tried to mimic this policy but I can't seem to get it to work. Here are my current settings:

Policy route:

  • inc interface: port1.10 10.10.100.254
  • source ntw: ip range 10.10.199.1-10.10.199.5 
  • Destination network: Olympus webserver ip 10.131.16.3
  • services: any
  • Gateway
    • IP 10.131.17.209
    • interface 1.40-10.131.17.210
    • default NAT policy: masq with ip 10.131.17.209

Firewall rules:

  • Source zone: LAN
  • Source ntw and devices: VLAN40_NETWORK / VLAN10_NETWORK
  • dest zone: LAN
  • Dest ntw: VLAN40_NETWORK / VLAN10_NETWORK
  • services: any
  • identity check: off

 

Any help would be greatly appreciated!

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Can you print de packet filter information when you try a icmp packet for example ? 

    What informations shows up ?

  • 0 in reply to Kevin M.

    1) Ping to Gateway address connected to VLAN40

    Ethernet Header
    Source MAC Address:34:97:f6:9bxxxxx
    Destination MAC Address: 00:1a:8c:xxxxx
    Ethernet Type IPv4 (0x800)
     
    IPv4 Header
    Source IP Address:10.10.199.1
    Destination IP Address:10.131.17.209
    Protocol: ICMP
    Header:20 Bytes
    Type of Service: 0
    Total Length: 60 Bytes
    Identification:23659
    Fragment Offset:0
    Time to Live: 127
    Checksum: 61942
     
    ICMP Header:
    Type: 8
    Code: 0
    Echo ID: 1
    Echo Sequence: 103
    Gateway: 0
    Fragmentation MTU: 0
    Checksum: 19700

    2) Ping to server over VPN through GW 10.131.17.209 (since it can't reach the gateway obviously this won't work but getting a forbidden here which is weird.

  • 0 in reply to Yves Laenen

    I can ping from VLAN10 to VLAN40 sophos ip

    and from VLAN40 to VLAN10 sophos ip

     

    I can't reach other devices. I've read that I dont need additional routing rules for inter VLAN routing if they are on the same interface (which they are) only Firewall rules.
    I have those both on ports as on hosts like I've read in an article here.

    I'm clueless, this was so easy on the zyxel.

  • 0 in reply to Yves Laenen

    Hi Yves !

    For what i can see, there are violation instead forwarding in the packet, the print is cutted, but if the reason is Firewall there are an error in Firewall Policy.

    If you had created a policy route with Vlan40 as Gateway, the Vlan40 belongs to WAN zone, so you need to put WAN zone in destination on your policy rule

  • 0 in reply to Kevin M.

    Hey Kevin

     

    I'm not sure how to apply your answer. VLAN 40 is not a WAN interface so I can't select it.

     

    Best regards
    Yves

  • 0 in reply to Yves Laenen

    You said that tryed mimic policy route, so i think that vlan 40 must be in WAN Zone for could be choose as a GW.

    The policy that you wrote:

    Policy route:

    • inc interface: port1.10 10.10.100.254
    • source ntw: ip range 10.10.199.1-10.10.199.5 
    • Destination network: Olympus webserver ip 10.131.16.3
    • services: any
    • Gateway
      • IP 10.131.17.209
      • interface 1.40-10.131.17.210
      • default NAT policy: masq with ip 10.131.17.209

     

    Can you print the interfaces configuration of your firewall ?

Reply
  • 0 in reply to Yves Laenen

    You said that tryed mimic policy route, so i think that vlan 40 must be in WAN Zone for could be choose as a GW.

    The policy that you wrote:

    Policy route:

    • inc interface: port1.10 10.10.100.254
    • source ntw: ip range 10.10.199.1-10.10.199.5 
    • Destination network: Olympus webserver ip 10.131.16.3
    • services: any
    • Gateway
      • IP 10.131.17.209
      • interface 1.40-10.131.17.210
      • default NAT policy: masq with ip 10.131.17.209

     

    Can you print the interfaces configuration of your firewall ?

Children
No Data