Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 1537 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM External BGP and DMZ Network with public ips

itger19

Hi there,

I need to do the following with three prerequisites:

  • 2 Sophos in HA (currently Active-Passive, but in the next weeks I go clustering)
  • BGP Session with own public ASN and peering with two upstream carriers, I will get three transfer networks for routing with their routers
  • Announcement of a /23 and a /24 subnet as well as several IPv6 Subnet

I want to achieve to have several interfaces on the UTM with private internal subnets with masquerading AND to have several interfaces on the UTM where I can use my public IPs, e.g. DMZ using with VMware NSX Edge Gateways, etc.

On the "DMZ" interfaces I do not want to use Web Protection Firewalls, etc. 

I hopefully get my BGP sessions this week and wonder how to achieve the scenario.

My idea:

Setup two interfaces using the transfer networks in order to announce the external subnets.

Creating one external interface, e.g. a /29 subnet of my /24 to use as external interface as uplink for my internal masquerading interface.

But how to setup the DMZ network? I read something in the community to create a second interface with one of my public ips as interface address. But I want something like interface static routing in order to use the whole subnet on some ports.

Thank you and regards!

itger19



This thread was automatically locked due to age.
  • 0

    Update:

    BGP is working and I created a local network with the /24 public subnet without default gateway.

    So connected devices on that interface get an IP from the public subnet. Creating firewalls rules they also can access the internet. 

    But! I also need an internal interface with masquerading to use S2S VPN, etc. 

    I think that's a routing issue. The "problem" or challenge is that there is no default gateway I can define. 

    Are there any ideas?

  • 0 in reply to itger19

    Hallo and welcome to the UTM Community!

    It's difficult to follow your explanation of what you need without a diagram.

    Did you know that changing your licensing to Cluster means the time remaining until expiration will be cut in half?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?