BGP Basic Routing Question

Hello,

 

try to build up my first solution with BGP and a I´m bit sad … some Things dont work.

 

Situation:

Sophos XG as Gateway Firewall.

2 BGP Partner .. 2 Public Networks to announce. an 20 VLAN with private Networks behind the XG.

 

What ist working …

I got the BGP Working, i createt some dnat rules to bring the traffic from the local Network into the Internet.

 

What don´t work.

I can not Register the Sohos XG .. because it has no WAN Interface. ( ? )

I have build all as LAN Interfaces ..the 2 BGP Interfaces and the "real" Lan Interface.

If i want to Register the Sophos says .. "Register Server is not reachable".

I can also not ping a host into the Internet from Diagnosis of the XG.

From a Client with a privat IP that goes over the DNAT Rule .. everything works fine with Internet an ping.

 

I think the is a Basic "Default Route" missing .. but how can i set a Default route with BGP because i have no WAN Interface and only

virtual 2 Networks with public IP´s .

 

Is is necessary to set one of the physical Interfaces with a IP from the Public Pool ?

My Public Pool ist 195.37.XX.0/23  .. 

My old Cisco Router had on one interface the IP 195.37.XX.1  and our Layer 3 Switch which terminated the VLANS had this IP as the Default route.

Now i want to terminate all VLAN´s on the Sophos XG .. ( it works) but how can i bring the public Network inside,

because we have some devices in our Network that Need a IP from the Public Pool (195.37.XX.0/23)

 

If you understand my litlle confuse Questions .. im very happy for every tip.

 

 

 

  • The Appliance need at least 1 WAN interface as Zone Type WAN.

    As i read in your post, this seems to be the problem.

    Can you link a screenshot of your interface config?

    You should have 1 Interface (VLAN) at least as Type WAN.

     

    Or (to work without a WAN interface) try to use the parent proxy in the routing tab. But would go with a WAN Interface.

    Zone WAN is a preconfigured zone, which points all traffic for the appliance to the Internet.

    Maybe you should get in touch with your partner or the distribution to get a small workshop regarding the zone concept / XG policy handling.

  • In reply to ManBearPig:

    Here are some Screenshots .. perhaps you could advise how to define the wan interface .. 

    So i should define one of my public IP Adresses as a wan interface ?? .. but what is the gateway for that ???

    Screensot with BGP Config and Config Network interfaces 

  • In reply to Christian Kolbe:

    So you dont have any WAN interface.

    Would suggest at least one WAN interface.

    The Gateway would be "the next hop" of your BGP route. I *think* you have to predefine this one. Do you know your next hope from XG WAN?

  • In reply to ManBearPig:

    sorry .. i don´t understand you.

    We are using BGP from Internet Provider .. behind the BGP Partnes is ... WWW

     

    Here is my BGP config :

     

    XG-Port 11 is BGP Port 1

     

     
     
    188.1.230.110/255.255.255.252
     
    XG-Port 10 is BGP Port 2 
    188.1.237.246/255.255.255.252
     
    BGP Partner are : 
    188.1.237.45 
    188.1.230.109
     
    My Network for BGP is : 195.37.84.0/23 ( 512 Public IP Addresses :-) ) yes....
     
     
    So i should define a wan interface with ip 195.37.84.1 .. but next Hopp is  188.1.237.109  ???
     
     
  • In reply to Christian Kolbe:

    I have tried several way.. 

    i can not define a WAN Interface ..  a wan Interface need a gateway into the same IP Range .. but with BGP you have

    a bgp default route and the Announced networks are working with DNAT Rules .. 

     

    I can do everything with a lan client .. Internet and all the other but the XG itself dont go to registration site ....

  • In reply to Christian Kolbe:

    Lets try something else. Please open 2 SSH consoles.

    one with advanced Shell: tailf /log/licensing.log

    One the other please a dump to the licensing server, which the appliance tries to connect.

    tcpdump -ni any host (IP of the server) and port 443

    Please share the output.

  • In reply to ManBearPig:

    Hello,

     

    here are the Screenshots …

    It´s very strange.

    Yesterday i had already contact to a german Sophos Member of Helpdeskt Team … but he could´t help me,

    because he had never installations with bgp ..

    We have an other strange behaviour on the Machine .. from the console and from the gui you can ping Google 8.8.8.8 but no other Public IP ….

    But from a Client behind a DNAT Rule .. everything works fine !!

  • In reply to Christian Kolbe:

    Sound like a "routing" issue...

    You see the traffic is going to the correct IP with 188.1.230.110 on Port11.

    So next question: Port11 is your Potential interface to go to the internet?

    But 188.1.230.110 seems to be the Appliance interface address, isnt it?

    In my point of view, the appliance does the correct routing. But the neighbor of Port11 maybe does not NAT the traffic.

    You say, you can ping Google? try ip r g 8.8.8.8 to see, which interface is used. Then do a tcpdump -ni any icmp and ping again.

    Should the Appliance NAT anything? Do you have a Policy which NATs the Traffic?

  • In reply to ManBearPig:

    of Course it´s a Routing issue but it´s only on the XG itself, a Client behind his nat rule works perfect.

     

    it´s BGP …

    Interface Port 11 and Port 10 are the BGP Endpoints  ( Interface to Internet) ,

    IP: 188.1.230.110  an IP 188.1.237.246

    They have Partners, that are the next hops.. in BGP

    IP 188.1.230.109  and 188.1.237.245 

    Technically 188.1.230.110 and 188.1.237.246 are the wan interfaces .. but you can not declare this as a wan interface because it has no Gateway. (that makes BGP)

     

    We use this XG as a replacement of an older CISCO 3748 Border Router, i have checked the configuration of this cisco device .. he had also no Default Gateway !!

    Some Screenschots :

    Default DNAT Rule  ( i use one Address 195.37.84.10 from the public pool for nat) (VLAN1 ) all the other VLAN´s have an own public Address for nat.

    Cisco BGP Config have adapted it to XG .. without any filter rules

     

    it´s a Problem special related to BGP Implementation and Routing but i can not find any Person on Sophos Germany that has the neccessary Knowledge

    about working with BGP and Sophos XG. :-(

     

     

     

     

     

  • In reply to Christian Kolbe:

    So - We are talking about traffic, which is leaving the correct interface with the correct ip address.

    Maybe this is a BGP config issue?

    I mean, how can you know, the traffic is not dropped on the next station or the bgp config is not correct? Seems to be correct on XG site. How can you decide, it is a XG issue? The dump seems to be fine according to your information.

     

    So lets check the dump again - We are sending the Sync. But there is no response.

    Try a telnet from a Client behind the DNAT(i am a little bit confused about the DNAT, you mean SNAT isnt it?) and dump it.

    Then try to find the related pattern. Which IP is used from the client and which from the XG itself.

    In your Policy is a "NAT_1.." SNAT Policy. Which IP is it?

     

    Maybe you need a SNAT Rule for the Sys Traffic:

    https://community.sophos.com/kb/en-us/122999

     

     

  • In reply to ManBearPig:

    Hello,

    your tip with the KB12299 seems the right direction, i will try it tommorow.

     

    BGP is not the Standard that´s why i´m Looking intense for a guy with more practical experience.

    With BGP you have announced Networks behind the BGP Partners... in my Situation it is the 195.37.84.0/23 Network.

    So i have 512 public addresses between the BGP Network und my corparate Network.

     

    Thats why i have a SNAT Rule ..  that all the traffic come from lan goes to anywhere will use one of my public IP´s for NAT.

    in my  standard Rule it´s the 195.37.84.10 .

    If you make a WWW.whatismyip.com from a Client then you will see the  195.37.84.10 and not one of the BGP Address.

    But it seems that this rule is not applying to traffic generated from the XG.

    I also can not send mails from the XG for config changes and reports.. i think it´s the same Problem.

     

    bgp config is not correct? Seems to be correct on XG site. How can you decide, it is a XG issue

    of Course .. everything is possible but why is all working from a Client behind the XG ? and only from the XG itself it works not ?

    and BGP Configuration is absolutely simple, it´s nearly impossible to make Errors ..

    You have 2 interfaces with ip Addresses .. you have 2 Partners  und 2 Secrets .. the BGP Config are 8 Lines ..and it´t absolutely the same as on the old cisco device.

     

     

     

     

     

     

     

     

     

  • In reply to Christian Kolbe:

    Here can you find all FQDNs, XG is using for all modules.

    https://community.sophos.com/kb/en-us/126576

  • In reply to ManBearPig:

    Hello,

    many THX for the TIP .. that worked for me.

    I can now ping every host which i have configured over this rule..

    "set advanced-firewall sys-traffic-nat"

    I can ping the registrary server for europe 

    i made an entry for licensing server / sophos.com / my mail server for status reports ..

     

    But unfortanly i´m not able to register the first XG ...

    We have 2 XG310 here for HA Pairing ... 

    I have preregistered both systems over my sophos partner account and both !! Systems appear under the  correct customer Sophos ID

    When i now start on the regsitration screen and put in the Mail Address of the Customer Sophos ID .. then come the message 

    "The Device is already registered " 

    If the Account is correct  (yes it is ) i should only "synchronise the licence" over  ADMINISTRATION LICENCING 

     

    But i can not synchronise  because there ist only the link  for the  first time registration .. when i click it .. it ask for the sophos id ..

    and again .. the device is already registered .

     

    How can a manually force a licence sync over the console or  SSH Shell  ??  is there a way ??

     

    Curious ... on the second XG .. the HA Partner .. all works fine .. i could login with the sophos ID .. then it  also said that this device

    is already registered but after next login .. the device war registered and i could perform HA Configuration for the second device.

    The second device i configured with a lan port port of primary device as WAN .. so it was a standard network client and i got not the issues with 

    bgp .. we will build a Active Passive HA .. and switch cables if primary Sophos will fail ...

  • In reply to Christian Kolbe:

    Seems to be an issue in the HA Setup.

    The License is applied on Appliance A.

    Appliance B has no license.

    If you go to Appliance B and build up the HA or Appliance B was not able to sync while installation, this can cause this issue.

    Would suggest to disable the HA and bridge the Appliance B via Appliance A to the Internet. Then enable the license and sync everything. And build up HA again.

     

    If you disable HA, all Ports except Administration and HA Port will be disabled.

    So you can use a Free Port on Appliance A and patch Appliance B there. Go the the Appliance B Webadmin, configure the free Port as WAN and Gateway is Appliance A.

    Build a Policy on Appliance A to use the correct NAT.

     

    And disable everything afterwards and enable HA again.

    Sounds "complicated" - Is a 10 min work.

     

    Cheers

  • In reply to ManBearPig:

    NO … i think it´s not an HA Failure .. because the Problem was prior to switch ON the second appliance.  ( Hours ago)

    and i could not make any HA Configuration on the first appliance .. because it is not registered :-) 

     

    The second appliance was connected as you described it.. and on this way it synced perfect.

    Both Appliances are on the customer ID …

    The First appliance with the BGP Config will ask for the Sophos ID .. and when i give the correct addres .. it say . Device is already registered .. you have to sync appliance ..

    But i can not sync over the gui beacause there is only the "First Registration link active"

    Look to the Screenshos.

    I think it´s the same Problem we had Prior to contact the licensing Server and to make Connections from the appliance itself . .but now i Need some more IP´s from a

    sync Server ??

     

    Is there a way to use this command :

    set advanced-firewall sys-traffic-nat add Destination   

     

    global ??

    I could only put in single IP ´s there .. on which way i can say that all the traffic from the System itself  ??