Sophos UTM additional VDSL connection.

Question

Hi, 
 I have a Sophos UTM running in hyper-v with 5 physical interfaces. 
 I would like to add an additional interface to allow only L2TP IPSec connections using an additional line. 
 (I have the VPN configured and working correctly on a different interface so hoped it would be easy to migrate to the other faster line) 
 
 The additional line: - I have a 80/20 VDSL line connecting using an Archer VR2800 - this has wifi and 4 lan ports. I plan to add this connection to the UTM? 
 
 The Archer VR2800 is operating as a modem/router and has an external fixed ip "A.A.A.A" and the lan ports have a local subnet 192.168.4.0 via its own DHCP. (All fairly standard.) 
 I have patched the UTM to one of the lan ports of the Archer... 
 
 I have created an interface on the UTM - giving it the external IP address I would like it to use. I suspect the DHCP on the Archer router is stopping this from working? 
 The Archer does not appear to have a WAN port? I cannot see any bridged mode options on the Archer? can I add some kind of NAT rule in the UTM to allow traffic to pass over the line for VPNs? 
 
 Do I need to configure the UTM interface to use a local IP address (192.168.4.xx) and some kind of routing rule to allow the external IP address to resolve? 
 I Hope this makes sense! Any advice or guides towards the correct method of connection would be greatly appreciated. 
 
 Many thanks, 
 Tony

apijnappels · Answer

Hi Tony, 
 No you cannot edit the IP in UTM to the "desired" address if your router in front is doing NAT (and not bridging). What you need to do is give the UTM an address in the 192.168.4.xx range (preferably a fixed IP in this range) and configure the Archer to forward either all traffic or at least the traffic needed for the VPN to work to the 192.168.4.xx UTM address. 
 In the UTM this interface should be configured as a "IPv4 Default GW" and of course it needs to point to the Archer as the gateway for this network. 
 Next depending on how your clients connect to the VPN now (by an IP-address or maybe a FQDN like vpn.mydomain.org), if they connect to a DNS-name than you can reconfigure DNS to point this entry to the fixed-IP-address belonging to the Archer internet connection. Or you could add a second entry for the same name (a DNS A-record) pointing to the Archer's internet IP-address; that way you have 2 physical internet connections both reachable over the same DNS-name which offers redundancy and at the same time does load balancing.