Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
Being new to this, I stuffed up somewhere and need some pointers...
When I first set up the UTM (home) it was getting DHCP from my router. A .10 address for the internal and a .30 for external (WAN). (Same network obviously)
I ended up configuring the UTM to provide DHCP service so that the default gateway of devices would be the UTM - the .10 address. Then I disabled DHCP on the router. All was working well, and as devices renewed their IP's, they'd get it from the UTM and start routing traffic via it. Schweet :)
Then I rebooted the UTM to increase the memory - its running as a VM and I wanted to take the memory from 2GB to 4GB. When it came back up, the WAN interface was down. It had gotten a DHCP address from the UTM itself so now was pointing to the .10 address and making a loop I guess.
So...I changed the External WAN to be static .30 and set the default gateway to the router. Services restored, yay :D
But.....it looks like it isn't actually working properly. I've kicked off a restore from crashplan and see this:
It looks like the download is operating over internal NIC only, and not being passed via the WAN NIC.
How do I fix it? I almost added the WAN address as the default gateway of the internal NIC, but I fear that may cause me to lose connectivity via the web admin page and then I wouldn't be able to fix put it back
Additional traffic data;
It looks like the *backup* to crashplan was routing as expected (ie outbound traffic) so it is the download traffic (restore) that is for some reason coming straight from the router to the internal interface of UTM
First things first, it is not advised to keep LAN and WAN interface in the same subnet. It will always create routing conflicts and results in a situation like you're facing.
I'd suggest configuring the LAN network different from what you have from your ISP router. Then, configure DHCP in a way that your Internal(LAN) interface becomes the Gateway for all Internal devices. Once done, you should create a Masquerading rule to SNAT all the traffic via your WAN interface. Hope this helps.
In reply to Jaydeep:
Thanks, but I'm not entirely sure I follow :/
As you may recall from my first question last week, I'm running the the UTM in a VM. Being a home user, my router is also the modem and Wifi access point.
ISP provide IP -> router -> internal IP -> all devices, including UTM
I did have a play with this without really understanding what I was doing :)
but it broke my crashplan backup. But, after I disabled this policy again and restarted services for crashplan, the routing seems to have reverted.
But not really.....because the traffic isn't being registered properly - there's no 'code 42 crashplan' showing up [restored 20GB so far so should be top of the list]
I did look at NAT previously. In hindsight, I should have taken notes on what I was doing and why :( I *think* I originally was trying to set-up my nextcloud vm, but that turned out to be a port issue so I'm sure this masquarade is needed. (The NAT tab is empty)
Let's say my router address was 192.168.1.1 and the external WAN on UTM is 192.168.1.30, and the UTM internal is 192.168.1.10.
If I change the internal to 192.168.100.10 and alter the corresponding DHCP service, would that work?
My Hyper-V host would end up with say 192.168.100.50, hosting the UTM running both 192.168.100.10 *and* 192.168.1.30. Will my router act only as a switch for the 192.168.100.x network, and only route traffic from the 192.168.1.x to the Internet - which would be the external interface of UTM.
Is that what you mean?
To make matter more complicated...I also run virtual box on my main PC with a mix of NAT and bridge VM's. So I already have double NAT happening - will I end up with triple NAT?
In reply to Dave99:
Dave, the ideal solution is to put the "router" into "bridge" mode so that the UTM can get a public IP on the External interface.
Otherwise, until you put the Internal network in a subnet different from 192.168.1.0/24, we won't be able to help you. The downside of that will be that you will be doing double NAT.
The other option would be to bridge eth0 and eth1. That means you can't do QoS and that configuration of Web Filtering and other protections will need to be a bit different,
Can you bridge your router?
Cheers - Bob
In reply to BAlfson:
I'm realising that using an enterprise product at home is...challenging :)
I'm not sure if I can bridge - but let's assume that I can; what would that actually mean?
Would the router still maintain a 192 address that I can connect to?
The external interface would have to be DHCP since I'm not getting a static IP from my ISP. How would I ensure that 'it' gets the external IP rather than something else in the environment? I'm thinking, particularly, on host reboot for patching. Windows comes up and tries to renew it's lease but fails since the UTM isn't running yet, so wouldn't the hyper-v host then adopt the public IP address? When the UTM VM comes up, I imagine the external interface would grab an address from the internal interface (which is running the DHCP for my devices) like it did a few days ago (and which broke the routing to land me in my mess :))
And to add another wrinkle, the router runs the Wifi AP as well.
I imagine if I had a hardware device it might be slightly easier, though I imagine I'd need something that does WiFi too so my router becomes a dumb modem and bridge and nothing more
If I'm missing some key point, do please advise.
What's the make & model of the router, Dave?
It's a Fritz 7490. I have googled a bit and believe it is bridgeable - but I'm really not clear on the implication and particularly the risk if something other than the UTM grabs the Internet address.
What I have done, is factory reset the UTM and started over; Since I had fiddled a bunch of stuff to try and get the routing working and couldn't find a document showing how it is initially set-up, I figured factory reset was the way to go. Then I made the external interface static on the same network as the router. I've then set the internal interface to a different network (using a manually set IP to be able to connect to the web page) with a DHCP scope in that network. So far, everything seems to be working, with clients getting DHCP on the new network and going via the external interface to get to get out. The router doesn't 'see' any of the clients anymore but it must still be switching.
With 4 days uptime, the vCPU is now hovering around 10% instead of 1% so not sure if that means there's an issue/leak somewhere.
The amount of traffic is still mis-reported though. Does it only count downloads and ignore uploads in the stats?