Generally Confused

Hello

We have a SG210 running firmware v9.700-5.

I have purchased our first RED (15) with the intention of putting it in a client's LAN so they can use resources on our LAN.  Their Internet gateway doesn't have VPN functionality, so I chose to the RED.

It is setup thusly:

> The RED is configured in the "Advanced" configuration of "Manual/Split" mode.  The WAN port on the RED is plugged into an Ethernet port on their Technicolor ADSL router, and a LAN port on the RED is also plugged into the same router.  The RED has connected succesfully to the Sophos authorisation/config servers and is online in our UTM.
> I have created a new interface for the RED with an interface type of "Ethernet", using the RED as hardware and with a new and unused static IP address range.
> For testing purposes, I have created two firewall rules:

 

Letting all traffic through is for testing purposes, I intend to lock down these rules once testing is complete.

I have added a route to my Domain subnet on a PC on that is on the RED subnet, using the RED as the gateway.  They are not able to access resources on this network (e.g. remote desktop), or ping or tracert to it - the traffic times out.

If I attempt to ping anything other than the interface (45.1) from my Domain network, the traffic timesout.

What am I missing here?

  • Please show pictures of the Edits of the RED server definition and the Interface for the RED.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks for your reply

    There isn't a Server (Service?) definition for the RED that I can see, but here is the interface:

    Hope that's what you need?

    Many thanks
    Paul

  • In reply to gr33ny:

    Look on the '[Server] Client Management' tab of 'RED Management', Paul.  Also, how do the remote devices get DHCP and what is the subnet in the remote site?

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob

    That tab appears to have the RED ID & secret, should I be posting that publicly?

    They get DHCP addresses - 192.168.1.0/24

    This subnet is in use on a site-site VPN already, but since the RED has a new subnet (45.0/24) then I thought it may not matter...

    Cheers
    Paul

  • In reply to gr33ny:

    Agreed, Paul, I would mark those out if I were posting it the Edit of the RED Server.

    Cheers - Bob

  • In reply to BAlfson:

    Hello

    Apologies for my delayed reply, I have been somewhat busy of late.

     

  • In reply to gr33ny:

    In this screen the RED looks to be configured as Standard/Unified. In that case the RED "should" act as a router to route the traffic between the remote LAN and your own LAN and vice versa. In that setup you cannot connect both the WAN and LAN ports of the RED to the same network segment since then there can be no routing.

    What you may probably want is to have the RED in Transparent/Split mode where you put your Local Domain (Network) in the split networks list.

    Also in this setup, the UTM's RED interface will get an IP-address from the remote site, so you should configure the RED interface in the UTM as DHCP (or fixed in the SAME network as the LAN segment of the Technicolor router of the remote site).

    So the remote site will give an IP to your UTM RED interface.

    Then you have 2 options of connecting the RED in the remote network:

    1. Put it in between the Technicolor ADSL router and the rest of their network (which I would not recommend because you add a SPOF to their network and you may negatively impact throughput speed putting the RED in between). 
    2. Connect the WAN cable of the RED to the technicolor router as is currently and leave the LAN cable unconnected. It's important that in this case you need to add a static route to your Domain (network) either in the Technicolor router OR in the local PC's of the remote site. They should then use the IP of your RED interface of the UTM as gateway for your Domain network.

    Option 2 is the nicest solution since it interferes the least in the remote network (easiest would be to only add static routes to your subnets that need to be reached by the RED).

    The situation you have with the site-to-site VPN with the same IP-segment should in that case be solved by NATting the VPN traffic over a different subnet. Unfortunately that is something that needs to be changed in both sides of the VPN connection.