Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 4 subscribers
  • Views 4180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

two LANs and Gateway on one of LANs

Omar Khalil

Hello, I've being trying to do a fairly simple task, I tried every possible route and gateway but I couldn't succeed.

 

My setup is, Sophos UTM with 2 LANs:

VoIP LAN: 192.168.2.130/24
Default Gateway: 192.168.2.250 (The internet router is on this LAN)

LAN2: 10.10.12.2/29

 

I have already internet connection on VoIP LAN interface and all of the devices connected to it, but i couldn't succeed to get on internet on LAN2 giving that my main problem is that the router is on VoIP LAN, what might be the required routes to make LAN2 reach the internet which is on 192.168.2.250?

When i do a traceroute from VoIP LAN, I get the route throught the router to outside, but i when i traceroute from interface LAN2 I get straightly no route (astericks).

 

Any Help is highly appreciated, thanks



This thread was automatically locked due to age.
  • 0

    Hi Omar,

     

    All you need to do is setup the subnet as an additional address

    Interfaces & Routing -> Interfaces -> Additional Addresses -> New Additional Address

    then you would allow the traffic in the firewall to allow for internet access.

     

  • 0

    There are three ways that you might configure two subnets:

    1. Two subnets on a single LAN, using a single interface (no VLANS2)
    2. One subnet on each of two VLANs, using one  interface
    3. Each subnet on a separate interface

    Albert's reply is correct for option 1, but I understand you to say that you are using option 3.

    For option 3, I think you need a static route from the LAN2 subnet to the LAN1 interface address 192.168.2.130.   With this in place, LAN1 can forward the traffic to itself or to the Internet, as appropriate.   Without the static route, I think LAN2 will find LAN1 devices, but will not be able to find the Internet.

    In UTM, option 2 is a variant of option 3, because the hardware-level VLAN is mapped as a logical interface within UTM. 

  • 0 in reply to Alberto Sebastainutti

    Hi Alberto,

     

    Thanks for the very fast response,

     

    should i add the whole subnet of LAN2 (10.10.12.0/29) on interface VoIP LAN?

     

    Like the following picture:

     

    I'm just asking to be sure to not lock out myself as I'm doing remote management :)

  • 0 in reply to DouglasFoster

    Hi Douglas,

     

    Thanks for your reponse, I think I have option 3, and here is a picture of my interfaces:

     

    Internal and WAN aren't used.

     

    What i test to see the connectivity is pinging from eth4 (LAN2) to internet:

     

    I tried to add the following route to test only 8.8.8.8:

     

    Where i explicitly said that ping to 8.8.8.8 on interface LAN2 should be routed to 192.168.2.250 on Interface VoIP LAN.

     

    but weirdly didn't work, what do you suggest further?

     

    And thanks a lot for your time

  • 0 in reply to Omar Khalil

    Start by disabling WAN on Eth0 by clicking the button next to its name, so that it goes white.   It may be creating a routing problem.

  • 0 in reply to DouglasFoster

    Remove the interface lock from all network objects.   Applying a value overrides routing, and says that 8.8.8.8 is routed to lan2, breaking it for everybody.

    then test with nslookup or dig.   ICMP has separate configuration consuderstions (on the ICMP tab.

  • 0 in reply to DouglasFoster

    I disabled WAN, I just set 8.8.8.8 for test, but am I saying in the picture that 8.8.8.8 is routed to lan2 or I'm saying route 8.8.8.8 on interface lan2 to 192.168.2.250 on interface VoIP LAN?

    The thing is I can't set route 0.0.0.0/0 in static routing it will pop up an error that default gateway should only be setup in interface and interfaces doesn't allow me to setup second gateway for LAN2.

    So I still weirdly can't just setup something like: route 0.0.0.0 on lan2 to the gateway 192.168.2.250 on VoIP LAN.

     

    The problem with dig and nslookup that they can't be invoked from a specific interface, and ICMP is ticked everywhere under ICMP tab, also tried with telnet.

    And firewall rules i have any to any.

    What's only left in my mind that the router 192.168.2.250 is not masquerading or blocking the traffic coming from my 10.10.12.0 network, I will try to get access there and check.

     

    Thanks much again for your time.

  • +1 in reply to Omar Khalil

    Right.  So you probably do not need any static route  - my mistake.

    But I am sure that you want all network objects linked to interface <<any>>

  • +1 in reply to Omar Khalil

    Hi Omar and welcome to the UTM Community!

    I think Doug's gotten you there, but you still might wan to do #1 in Rulz to check your work.  See #2 to get an idea of how UTM handles incoming traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

     

    Thanks for the warm welcome, and yes I read the Rulz, great write up and enrichment for the networking community and Sophos, thanks for your time and effort on that, it helped me much getting through how Sophos works.

     

    I don't know if that was possible with the logging but i use tcpdump from the cli to be able to see the exact traffic landing on each interface and it works great for me (thanks for Sophos for being GNU/Linux based firewall).



    Confusion #1, you should handle the NAT for LAN interfaces even if the WAN IP is a private IP from the upstream router:

    I was just astonished how sometimes we get lost with such simple setup, I tried to reproduce all of that virtually and was able to wipe out my confusion, all I needed was simply to masquerade the traffic from LAN2 to the WAN interface (here was my confusion point, should I handle the NATTing or the upstream router should! but easily and logically was that I (Sophos) should NAT to send everything to the upstream router as my WAN IP and the upstream would masquerade the network to the outside WAN IP).


    Confusion #2, you can't simulate internet connectivity on a LAN interface by pinging from it on the firewall itself:

    Another confusion I had, I was trying to predict if a given interface having an Internet by doing ping such as "ping -I eth0 1.1.1.1" but that won't work logically because I can't ping from the exact interface but I should ping from a host connected to that interface and having it as its Gateway so the traffic knows its exact route, instead of carelessly dumping traffic on the interface itself and hoping that the interface would knows the route, but no that wouldn't work.

    and then I solved my problems by doing the correct masquerading and with no need to static routing.

     

    I completed my post here in hope that it would be helpful for other people stumbled upon the post and having my same confusion points.


    Thanks all for your time and help!
    Omar

Unfiltered HTML