Internet with Single WAN to Multiple LAN Sophos XG

I have a similar setup myself but i use a software installation of XG but you can still do the same with your XG115.  I have my XG in Gateway mode and not bridge mode like you have yours in now.  Is there any reason you cant use Gateway mode??  If there isnt id suggest switching to Gateway mode and then put your Router in modem mode.  That way your XG does your addressing and routing, i think the only way to change this is to delete the bridge interface and just use the interfaces standalone (If someone knows how to change between Gateway and Bridge modes in V17 please update me).  There used to be a wizard option in the top left drop down where the username is which allowed you to use the setup wizard again to switch between bridge and gateway modes but on my V17 its not there anymore.  I have a client with the same router as you and i know it has a modem mode, its actually called bridge mode on that model but its the same thing here is the kb article https://kb.netgear.com/000028987/When-to-put-modem-into-bridge-mode.  In bridge mode you must use the LAN port it specifies to connect to XGs WAN port, XG now does the dialling out via PPPOE / PPPOA.  You will need to get these details from your isp before proceeding, these are set in the network interfaces page on xg.  Just change the WAN port to PPPOE / PPPOA as required and enter the details from your isp.  If you do this right your WAN connection will connect.

then you can setup your LAN port on a different subnet to the production network, As was suggested in an earlier post it would be an idea to create a new Zone for your network and then assign the LAN port to that Zone.  This should help with isolation however if i was you id go one step further and setup your LAN port with a VLAN too, this is what i do for my own isolated network.  You see even with a seperate Zone you have to either set it as a LAN zone or DMZ, id advise against DMZ as thats basically opening up your network to the WAN.  Setting your zone as a LAN zone is what you want to use however this wont really isolate the 2 networks without the use of rules, this is because as far as im aware XG will forward all traffic between networks in LAN zones without using rules (this is what i think is how it works, if im wrong please someone put me right on this) if seen this in my own setup which is why i ended up using VLAN for my isolation network.

Once you have the ports and Zones setup you can then setup DHCPs for each LAN port, putting the router in modem mode means the 192.168.0.0 network will need to use XG as DHCP.  So you will need to add a DHCP for that network on there port but thats easy enough and wont cause any issues there unless they need reservations and dhcp options.  Next create a DHCP for your network on your lan port, as long as you use a different subnet you will be seperated logically. If you take my advice and use vlans make sure to set the DHCP for the VLAN subnet and not the port subnet.  

At this point your production lan should work again now, if you didnt use vlans on your lan you should start getting addresses on your devices.  The next stage is to create firewall rules for your network.  This is straight forward just make sure to select the network subnet and zone for your networks as sources, also change the production lan rules to use there zone and subnets too.

If you did use vlans you will need to setup your devices to use this vlan before the devices will connect.

This is basically how i setup my XG with a normal LAN network and an isolated LAN network for myself.

Hope this helps, get back to me if you have questions.

JK

Hi JK.

I answer to your questions. So for the Gateway mode up to present the company doesn't want to change this configuration for the moment.
Yes i had planned the subnet 192.168.2.0 for me. The company being on the subnets:
- 192.168.0.0
- 192.168.1.0

I had created a new LAN area called LAN2 simply. The VLAN is not enough for me.
I've done the firewall rules:
- accept LAN2 to WAN
- accept WAN to LAN2
- reject LAN to LAN2
- reject LAN2 to LAN
But I think that the rules of the firewall already present block my rules.

Normaly the enterprise administrator should changed the sophos mode soon so that Sophos is configured for gateway mode and so resoly all the problems. But if someone has a solution for the current configuration that is to say:
- a bridge between LAN and WAN mode: not changeable
- 2 ports availables
- 2 different infrastructure
I would like to know for my knowledge on the Sophos firewall. Thanks

Regards,
PBJM

Hi JK.

I answer to your questions. So for the Gateway mode up to present the company doesn't want to change this configuration for the moment.
Yes i had planned the subnet 192.168.2.0 for me. The company being on the subnets:
- 192.168.0.0
- 192.168.1.0

I had created a new LAN area called LAN2 simply. The VLAN is not enough for me.
I've done the firewall rules:
- accept LAN2 to WAN
- accept WAN to LAN2
- reject LAN to LAN2
- reject LAN2 to LAN
But I think that the rules of the firewall already present block my rules.

Normaly the enterprise administrator should changed the sophos mode soon so that Sophos is configured for gateway mode and so resoly all the problems. But if someone has a solution for the current configuration that is to say:
- a bridge between LAN and WAN mode: not changeable
- 2 ports availables
- 2 different infrastructure
I would like to know for my knowledge on the Sophos firewall. Thanks

Regards,
PBJM

Thats what u need to setup then.

Hi JK.

First of all thank you for your answers and your advices.
I repeat me but i can't changed the present bridge and i must create a LAN2 zone.
The mixed mode will had worked if it was to gateway mode for add a bridge. But here the reverse is impossible.
I will be able to continue soon but for the moment i think that i'm blocked (with the change in gateway mode) : the present bridge is blocking for a new LAN zone (LAN2 different of LAN).

Regards,
PBJM

You should be able to use mixed mode, from what i read the bridge stays as it is now so that wont change.  Then for the LAN port for your network its left as a standalone interface ie not in a bridge itself.  Then obviously your will also need to setup DHCP on your LAN port only. Then also create a seperate firewall rule for your own LAN port to the WAN and set up NAT'ing for that rule only using the default MASQ profile.

As far as i can tell this is how you use mixed mode, however I am unable to find any documentation explaining mixed mode very well.

Its worth trying, as i say you wont need to alter the existing Bridge pair at all so the existing network wont be affected.  

Im sure as long as you setup your LAN port only using the steps i explained previously you should achieve a mixed mode configuration.

If you get stuck just update your thread and ill try to reply asap.

JK