Public IP Subnet used for Servers in DMZ and for WAN Gateway


I like to replace my ZyWall USG 100 with a Sophos XG 105w or 115w and wondering if i can get finally also rid of some issue i've since years:

Currently i've a WAN router in place (which gets a DHCP address from provider and holds my own public IP Subnet), as two of my servers need to have the public IP directly assigned i couldn't put them in DMZ (behind Zywall) and can just use software firewall on the system itself.

I'm wondering if it's possible with bridge ports to have all systems behind Sophos XG, using one of the public IP's for the client subnet behind and use the rest of the public IP's from the same subnet directly for servers in DMZ.

Attached also some attempt of a drawing - currently the 2 systems with the mandatory public ip's are on the WAN router directly and i'd like to get them somehow behind the Sophos XG too if possible. I know that splitting up the WAN subnet in two subnet's would be the clean way but thats actually not possible.

  • Hey  

    Welcome to the Sophos Community!

    I would advise for the sake of implementing this and preventing potential headaches, you may want to consider inquiring with your Sophos Partner/Reseller regarding professional services assisting with your initial setup to your requirements.

    This setup should be possible by adding your Public IPs as aliases on your XG, then utilizing these with DNAT and SNAT rules to properly translate the IPs as per your requirement.

  • In reply to FloSupport:

    Hey Flo,

    Thanks for the hint with aliases, will give it a try that way then. I did already several firewall implementations (ZyWall, ASA, Checkpoint, ...) but never had a Sophos till now and usually the setup is clean e.g. with dedicated DMZ Subnet - just my own network is a bit a mess due to the limitation by the provider with just single public subnet and with the ZyWall i never succeeded to get it running in the way i described so i was wondering if it would be possible with the Sophos XG :)



  • In reply to ThomasVIE:

    Hi Thomas,

    Understood! :) Please don't hesitate to reach out to me via your thread or PM. I'd like to provide assistance where I can, to help make your transition as smooth as possible.