Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 6029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Solution Proposal: Multiple public IPs without a dedicated subnet

Christian Baum

Dear experts,

I just got my Sophos XG Home license and installed it on a dedicated box.
I would appreciate some advice, how to set it up correctly in my enviroment.

My situation is as follow:

  • Cable connection with 5 public, static IPs
    (Actually its a /29 subnet, but one of the addresses is used as the ISPs gateway address)
  • I have a LAN with clients and some servers, that should only be accessible from inside my network
  • some servers shall be assigned dedicated public static IPs so they can be reached from the internet (let's call it DMZ)
  • all servers are running on a VMWare ESXi which is located in my LAN
  • I'm using a manageable layer 2 switch (HP 1810 atm, ubiquiti US-24-250W in near future)
  • i would like to use VLANs to separate the LAN from the DMZ traffic and prevent uncontrolled access from one segment to the other
  • Later on I would like to be able to access my internal network via VPN (preferable using L2TP)
  • I would like to setup rules for traffic between all segments (LAN, "DMZ" and WAN/Internet)

As I don't have access to the whole subnet (ISPs gateway in "my" subnet), a correct routing is not possible, right?

So my idea was to setup a bridge between WAN and DMZ and assign the subnet to it. The DMZ interface is a VLAN interface and it doesn't seem to be possible to add this to the WAN-DMZ-bridge in Sophos XG.
Second idea: I define one Port on the Sophos XG machine as the DMZ-Port and force-tag all traffic on the "DMZ switch port".

Are there any smarter / better / more secure ways to achieve my requirements?
What are your suggestions to implement the scenario described above?

Thanks a lot in advance.

Regards

 Chris



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Christian Baum

    Hi,

    you ask a lot of questions.

    Why don't you try them out and use the results as a learning process for your new security system.

    The current versions of XG (Mr-8 and V17) do not support VLANs and bridging.

    Ian

  • +1 in reply to rfcat_vk

    Hey,

    I did as suggested and played around a little.

    The solution with bridging WAN- and DMZ-Interface is a little rough to realize, so ended up with the following solution:

    1. The WAN interface is setup as a "normal", static-ip interface using the first of my five public ip adresses
    2. The other public adresses I added as aliases to the wan-interface
    3. For the DMZ I created a vlan-interface using a dedicated subnet
    4. On my ESXi I created a network which tags the outgoing traffic with the same vlan id as the vlan-interface in sophos
    5. I configuered all relevant ports on switches to allow packages with the correspodning vlan id
    6. The LAN-interface is setup as a LAG so communication between LAN and DMZ won't face any bandwith bottlenecks. (Both interfaces are on the same physical interface.)
    7. To assign the public "alias IPs" to dedicated DMZ-hosts I created business rules which forward all traffic to the corresponding hosts. (Own NAT-rule and reflexive)

     

    All in all the solution works quite good.

    I still do have some problems with one of the gameservers in the DMZ and also L2TP with radius auth against AD is not working yet. But more or less everything else is working quite good so far.


    Cheers
     Chris