Connecting sophos Xg 135 directly with 4g Internet Router

Dear Group Members,

Its my first post, I am new to networking, as my main job is as a developer my question is as below:

Currently in our new office is there is No internet connection, In total we have 5 servers having IP address range of 172.21.24.0/24 including one exchange server having IP address 172.21.24.30/24, out of these 5 server one server acts as a DHCP server, All Servers have static IP addresses, while clients machine(connected to a switch) IP's are assigned by the DHCP server in the same range i.e. 172.21.24.50-150/24.

 

due to time shortage it is decided to go for a 4g internet connection and also to use a firewall, for which i have recommended sophos xg 135(including web/network/email security and end points security) .

Now i have a couple of questions regarding the above scenario:

1) First question about the recommended network connectivity i.e.

a) servers+clients------------>switch---------->Sophos Firewall----connected via direct ethernet cable to the internet router------->4g internet router-------> Internet  OR

b) servers+clients------------>switch---------->4g internet router------connected via direct ethernet cable to the internet router----->Sophos Firewall-------> Internet 

2) There are VPN users as well who will needs to connect to the network using remote VPN

3) Also what about the wireless connection

If possible please explain in detail and step wise . I have attached a network diagram which is not neat and good as i created it under 10 mins  for this post only,

 

looking forward to your kind support.

 

  • Hi,

    quickly setup 'a' will do initially. You set the wifi up from within the XG GUI.

    How much data is your 4G allowance? Will the 4G connection have a static IP address? 

    Do people need to access the servers externally? If yes then you might need to consider a DMZ?

    Ian

  • In reply to rfcat_vk:

    Thanks Ian for the reply.

    How much data is your 4G allowance?  -->  Speed is 64Mbps  ---- initially 100 GB package which is more than enough later on we can replace the 4g router with a network internet connection from an ISP - Yes the 4G connection will have static IP address, 3  public IP addresses are included with the 4G Internet Package

    Do people need to access the servers externally? If yes then you might need to consider a DMZ?  Yes the Email server needs to be accessed externally from internet + there will be remote VPN users as well. is DMZ is must or we can go without it?

    If i go for setup (a) i.e.

    a) servers(172.21.24.5-30/24  GW is 172.21.24.1)+clients (172.21.24.50-150/24 via DHCP Server GW is 172.21.24.1)------------>switch(single VLAN)---------->Internal Interface (172.21.24.1) Sophos Firewall----connected via direct Ethernet cable to the internet router------->4g internet router-------> Internet

    Can you please explain the below points:

    Will the Firewall work like this i.e. connected directly to the 4G internet router via ethernet cable?

    Firewall will act as a Wireless point for wireless clients?

    Firewall will act as a gateway for the Servers/Clients?

    If possible Can you please explain in detail including how the clients + servers will connect to the internet ? Firewall will have two IP's i.e. Internal and External, Internal i know but what will be the external IP for the Firewall connected to the 4g router .

    looking forward to your kind response

     

  • In reply to Vicky Khan:

    Hi Vicky,

    your setup will work, but without the VLAN until you configure the XG to have a VLAN. Also the VLANs on XG are L3 so you will need an IP address (different range) on the physical interface.

    General internet access

    Plug the WAN port into the router, change the WAN port to DHCP.

    firewall rule - source LAN -> any -> destination WAN -> any -> all - > log. Enable http scanning, application and web tabs to allow all. IPS to LAN to WAN, MASQ and set output to WAN link name.

    That will get you going with minimal issues and minimal security.

    You configure WIFI in the wireless tab. Accept the AP, change country to your country create your SSIDs and assign them to the AP. Let the AP access to bridge to LAN. Do not forget to set your SSID password.

     

    The above will get you started and then can be refined with reduced internet access, business rules for your servers.

    I would suggest you get a consultant from your partner/reseller to help with the detailed refining of your configuration because what you are asking is for a detailed configuration without having access to your servers, business requirements and security requirement. Also it will be a lot quicker than trying to debug via this forum. There are KBAs that will assist 

    Ian

  • In reply to rfcat_vk:

    Hello Ian,

    Thanks for your detail response.

    You mean if there is no VLAn on the switch then the above setup will work?

    What i understand is to connect the WAN port of the XG 135 to the 4g router via direct cable and then apply the firewall rule? correct

    I am also trying to get the initial support from the sophos in the package which is 2 hours .

  • In reply to Vicky Khan:

    Hi Vicky,

    correct on all accounts. But set the WAN port to DHCP assuming the 4G router hands out IP addresses. I suspect you will not be able to use the extra external addresses because they will be appearing on the 4G router and the XG will not know about them. Unless the routers in bridge mode.

    Ian

  • In reply to rfcat_vk:

    Hello Ian,

    Thanks again for your response, again one small query for clarification confusion :)

    But set the WAN port to DHCP assuming the 4G router hands out IP addresses ?  WAN port of Router?   for wireless clients? If yes then the DHCP IP scope on the 4g router wil be the same as LAN network i.e. 172.21.24.x/24?

  • In reply to Vicky Khan:

    Hi Vicky,

    WAN port of XG to LAN port of 4G router. The wireless users I am referring to are the internal users who will connect to the internet through the XG.
    ian

  • In reply to rfcat_vk:

    Hey Boss,

    last question, what will be the IP range for that DHCP scope? As currently we are having one DHCP server (172.21.24.50-150/24) on one of the server for LAN clients, 

    The IP range for DHCP on router will be the same or different ?

  • In reply to Vicky Khan:

    Hi Vicky,

    the DHCP range for the internal network should be your 172.21.24.0/24 but what the 4G router will provide I don't know. Some of the ones I have used provide 192.16.0.0/24, but you might have to configure it yourself. If you can access the 4G router you could try putting it bridge mode and that way the XG would get to know about the real IP addresses.

    Ian