two LANs and Gateway on one of LANs

Question

Hello, I've being trying to do a fairly simple task, I tried every possible route and gateway but I couldn't succeed. 
 
 My setup is, Sophos UTM with 2 LANs: VoIP LAN: 192.168.2.130/24 Default Gateway: 192.168.2.250 (The internet router is on this LAN) LAN2: 10.10.12.2/29 
 
 I have already internet connection on VoIP LAN interface and all of the devices connected to it, but i couldn't succeed to get on internet on LAN2 giving that my main problem is that the router is on VoIP LAN, what might be the required routes to make LAN2 reach the internet which is on 192.168.2.250? When i do a traceroute from VoIP LAN, I get the route throught the router to outside, but i when i traceroute from interface LAN2 I get straightly no route (astericks). 
 
 Any Help is highly appreciated, thanks

DouglasFoster · Accepted Answer

Right. So you probably do not need any static route - my mistake. But I am sure that you want all network objects linked to interface <>

BAlfson · Answer

Hi Omar and welcome to the UTM Community! 
 I think Doug's gotten you there, but you still might wan to do #1 in Rulz to check your work. See #2 to get an idea of how UTM handles incoming traffic. 
 Cheers - Bob

Alberto Sebastainutti · Answer

Hi Omar, 
 
 All you need to do is setup the subnet as an additional address 
 Interfaces & Routing -> Interfaces -> Additional Addresses -> New Additional Address 
 then you would allow the traffic in the firewall to allow for internet access.

DouglasFoster · Answer

There are three ways that you might configure two subnets: 
 
 Two subnets on a single LAN, using a single interface (no VLANS2) 
 One subnet on each of two VLANs, using one interface 
 Each subnet on a separate interface 
 
 Albert's reply is correct for option 1, but I understand you to say that you are using option 3. 
 For option 3, I think you need a static route from the LAN2 subnet to the LAN1 interface address 192.168.2.130. With this in place, LAN1 can forward the traffic to itself or to the Internet, as appropriate. Without the static route, I think LAN2 will find LAN1 devices, but will not be able to find the Internet. 
 In UTM, option 2 is a variant of option 3, because the hardware-level VLAN is mapped as a logical interface within UTM.

Omar Khalil · Answer

Hello Bob, 
 
 Thanks for the warm welcome, and yes I read the Rulz, great write up and enrichment for the networking community and Sophos, thanks for your time and effort on that, it helped me much getting through how Sophos works. 
 
 I don't know if that was possible with the logging but i use tcpdump from the cli to be able to see the exact traffic landing on each interface and it works great for me (thanks for Sophos for being GNU/Linux based firewall). 
 Confusion #1, you should handle the NAT for LAN interfaces even if the WAN IP is a private IP from the upstream router: 
 I was just astonished how sometimes we get lost with such simple setup, I tried to reproduce all of that virtually and was able to wipe out my confusion, all I needed was simply to masquerade the traffic from LAN2 to the WAN interface (here was my confusion point, should I handle the NATTing or the upstream router should! but easily and logically was that I (Sophos) should NAT to send everything to the upstream router as my WAN IP and the upstream would masquerade the network to the outside WAN IP). 
 Confusion #2, you can't simulate internet connectivity on a LAN interface by pinging from it on the firewall itself: 
 Another confusion I had, I was trying to predict if a given interface having an Internet by doing ping such as "ping -I eth0 1.1.1.1" but that won't work logically because I can't ping from the exact interface but I should ping from a host connected to that interface and having it as its Gateway so the traffic knows its exact route, instead of carelessly dumping traffic on the interface itself and hoping that the interface would knows the route, but no that wouldn't work. 
 and then I solved my problems by doing the correct masquerading and with no need to static routing. 
 
 I completed my post here in hope that it would be helpful for other people stumbled upon the post and having my same confusion points. Thanks all for your time and help! Omar