This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM additional VDSL connection.

Hi,

I have a Sophos UTM running in hyper-v with 5 physical interfaces. 

I would like to add an additional interface to allow only L2TP IPSec connections using an additional line.

(I have the VPN configured and working correctly on a different interface so hoped it would be easy to migrate to the other faster line)

 

The additional line: - I have a 80/20 VDSL line connecting using an Archer VR2800 - this has wifi and 4 lan ports. I plan to add this connection to the UTM?

 

The Archer VR2800 is operating as a modem/router and has an external fixed ip "A.A.A.A" and the lan ports have a local subnet 192.168.4.0 via its own DHCP. (All fairly standard.)

I have patched the UTM to one of the lan ports of the Archer...

 

I have created an interface on the UTM - giving it the external IP address I would like it to use. I suspect the DHCP on the Archer router is stopping this from working?

The Archer does not appear to have a WAN port? I cannot see any bridged mode options on the Archer? can I add some kind of NAT rule in the UTM to allow traffic to pass over the line for VPNs?

 

Do I need to configure the UTM interface to use a local IP address (192.168.4.xx) and some kind of routing rule to allow the external IP address to resolve?

I Hope this makes sense! Any advice or guides towards the correct method of connection would be greatly appreciated.

 

Many thanks,

Tony

 

 

 

 



This thread was automatically locked due to age.
  • Hi Tony,

    No you cannot edit the IP in UTM to the "desired" address if your router in front is doing NAT (and not bridging).
    What you need to do is give the UTM an address in the 192.168.4.xx range (preferably a fixed IP in this range) and configure the Archer to forward either all traffic or at least the traffic needed for the VPN to work to the 192.168.4.xx UTM address.

    In the UTM this interface should be configured as a "IPv4 Default GW" and of course it needs to point to the Archer as the gateway for this network.

    Next depending on how your clients connect to the VPN now (by an IP-address or maybe a FQDN like vpn.mydomain.org), if they connect to a DNS-name than you can reconfigure DNS to point this entry to the fixed-IP-address belonging to the Archer internet connection. Or you could add a second entry for the same name (a DNS A-record) pointing to the Archer's internet IP-address; that way you have 2 physical internet connections both reachable over the same DNS-name which offers redundancy and at the same time does load balancing.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi Tony and welcome to the UTM Community!

    L2TP/IPsec won't work unles the UTM has a public IP on the interface - this is a limitation of IPsec and any L2TP/IPsec client I've seen.  If you can't get the Archer to give you a public IP, you're better off switching to the SSL VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA