Sophos XG 135 with IP over WAN, in a different network than Alias interfaces

I can have on the same WAN interface, an IP 189.10.10.46/255.255.255.192, with gateway 189.10.10.1.
And several IP Alias on the same interface, only on a different network, 189.10.20.16-189.10.20.30/255.255.255.240?

Alias would be for publishing services hosted on the internal network, such as web server, erp application, e-mail server, etc.

Wait and thanks !

  • Ivanildo,

    Alias IP must use the same subnet of the physical interface.

    Regards

  • In reply to lferrara:

    But I have a problem, the provider gave me an IP for the interface that is part of a network. It is a block of valid IP addresses that are part of another network.


    This works today on the client, it uses Fortigate and the equipment supports primary and secondary IP on the same interface, in which case the secondary IP is on the same network as the Alias.
    The client will switch from Fortigate to Sophos XG, but this has to work.

    What do I do ?

  • In reply to lferrara:

    I don't know that is entirely true; encountered a customer years ago whose ISP was, in American terms, "lame."  They added additional public IPs using ROTP (Routing Over The Top) …. granted, this was with Sophos SG UTM (may have even been Astaro UTM back then... but to my amazement adding each Alias IP with a /32 worked for publishing inbound services (of course it did not work for outbound, but that wasn't the point)… the ISP did some "Magic" that allowed this to work.  I wasn't a fan of the configuration, but it did work.  Things may be different on XG of course.

  • In reply to IvanildoGalvão:

    Ivanildo,

    I tried on v18 and you can.

    Check the screenshot.

     

  • In reply to BrucekConvergent:

    The provider gave a solution.

    It will put a router on the edge, where it will be the gateway of Sophos, the WAN interface of the router will have IP 189.10.10.46/255.255.255.192, since its internal interface connected directly to XG, it will have IP 189.10.20.17, in XG it will be 189.10.20.18.
    So the XG interface and the Alias will be on the same network.

    That solves the problem, right?

    Detail: The IP addresses here are fictitious.

  • In reply to IvanildoGalvão:

    It will work but you will have another hop.

    As I said on v18, you CAN HAVE IP Alias with different subnet mask. Check the screenshots.

    Regards

  • In reply to lferrara:

    Yes, it lets you configure, this is done in version 17.5.9 MR9, the question is, does it work? If XG will be able to receive and route packages.

  • In reply to IvanildoGalvão:

    Ivanildo,

    I will perform a test on my lab and let the community knows.

    Regards

  • In reply to lferrara:

    I can confirm, it works.

    18:57:13.814608 ifb0, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 24445:25885, ack 7440, win 365, length 1440
    18:57:13.814633 Port2, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 24445:25885, ack 7440, win 365, length 1440
    18:57:13.814658 ifb0, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 25885:27325, ack 7440, win 365, length 1440
    18:57:13.814666 Port2, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 25885:27325, ack 7440, win 365, length 1440
    18:57:13.814739 ifb0, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 27325:28765, ack 7440, win 365, length 1440
    18:57:13.814748 Port2, OUT: IP 192.168.1.23.40398 > 20.150.29.228.https: Flags [.], seq 27325:28765, ack 7440, win 365, length 1440

    I applied the proper NAT on v18 and created an ad-hoc firewall rule.

    It works!

  • In reply to lferrara:

    I tested it here, it worked very well.

     

    Sophos XG supports having an IP of a network on the interface and the Alias on another network, the provider sends the packages to the services published in the Alias and it accepts :)
    Now how the provider does his part, I don't know.

    See the picture of how it turned out.

    Thank you for your support!