Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 10798 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routed Subnet

vanbovene

Hi all. I know there are a number of posts related to this but I'm still not 100% on what's going to work for us and I'm a bit nooby when it comes to this specifically.

I need to know how to replicate this specifically in the XG:

Our WAN net is a single IP on a /30.

Additionally we have a /27 subnet of which only one host address is used to provide DMZ like access to a particular segment of the business. (Their network is not transparent to me, I guess they have their own firewall on prem.)

I'm migrating from a DLink DFL1660. It has the /30 address set up on a physical port for the WAN to the NTU of course.

The /27 range is set up on a VLAN which has the base interface as our internal LAN port. There's no static routing set up, the only other relevant configuration I can see on the DFL is the addition of a published arp neighbour discovery record for the single IP in use in that range pointing at the WAN interface.

Is it sufficient to configure a VLAN on the LAN interface as above? Do I need to add an entry in Neighbours? (I read in some post it was unnecessary.) 

Thanks for any help, this isn't something I've had experience with and it's kind of critical for it to work on day 1.

Cheers.



This thread was automatically locked due to age.
Parents
  • 0

    Van,

    I am missing something about your config. The /27 subnet has the same IP as the WAN interface?

    Please put some IP example.

    ARP proxy can be configured as described here:

    https://community.sophos.com/kb/en-us/123525

    Thanks

  • +1 in reply to vanbovene

    Van,

    thanks for the diagram and info. So, it seems you have 2 firewalls. Is the one on the left you have to swap with XG?

    You can simply configure a VLAN on your Internal Interface. Keep in mind that at the moment on physical interface, there is no way to change the native VLAN ID, so when you create the Interface, the VLAN ID will be 1 and then create a VLAN interface on top of it. Make sure then to create the needed firewall rules.

    Regards

  • 0 in reply to lferrara

    Hi lferrara, thanks.

    My diagram needed some more labels. The left one belongs to my company, it's being replaced with an XG. The right one belongs to someone else, we provide them dmz net. I have no access to it.

    VLANs won't be an issue. I'll mirror the setup we have now. I can't get my head around how the firewall can route the traffic for the second subnet without any other setup.

    Side question on the arp neighbour setup: The gui forces you to enter a MAC, on the current setup there is a dummy mac address (00:00:00:00:00:00). If I wanted to publish a x.y.z.224/27 address do I use the mac of the XG WAN port?

    Thanks for all of your advice.

  • 0 in reply to vanbovene

    Van,

    if you do not have access to the other Firewall, create a static route from Routing menu where the remote network is x.x.x.x using interface or next hop.

    Regards

Reply Children
No Data