Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pass public IP address to device behind XG without NAT

Hi experts. My ISP has given me a range of public IPs - say for example 125.10.10.1/30. So I have 2 usable addresses - 125.10.10.1 and 125.10.10.2.

Say interface port B is setup as my WAN and interface port A is my LAN (with a subnet of 192.168.25.1/24)

I want to keep 125.10.10.1 as the main WAN address for my LAN network. For this I have a standard MASQ and it works fine.

However, I have a tenant whose router is plugged into port C. I want to allocate the IP 125.10.10.2 to them - but I don't want to do any NAT. Their router should be configured with the IP address 125.10.10.2 and all traffic to that IP should go straigh to that port with no NAT.

I understand I need to create an alias for IP 125.10.10.2? But apart from that, I'm not sure how I configure this. Do I simply create a new interface on port C with the IP address of 125.10.10.2? Do I need to create an SNAT rule for traffic coming from Port C so it traffic to the Internet from that port has the IP 125.10.10.2 rather than the default IP of 125.10.10.1?

Thanks for any help you can provide. I have tried Googling this, but I'm obviously not getting my GoogleFu terminology correct.



This thread was automatically locked due to age.
Parents
  • Hi,

    I will answer again, this time remembering to save the post.

    What you are trying to do will not work because you will need two addresses on your internal LAN, one for the LAN (XG) interlace and one for the router external interface.

    You should be able to setup a rule that allows the LAN to WAN without using a NAT when you have two addresses on the internal LAN.

    You could try creating a bridge which would mean you would not need an extra address.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian and thanks for your reply.

    I thnk maybe my terminology was confusing.Partly because I don't know the right words to describe what I"m tying to achieve. Let me try again.

    Port A is my internal LAN. It uses standard MASQ and has a subnet of 192.168.25.1/24. Any traffic destined for the Internet on any device attached to Port A will go via the Sophos XG as the gateway and out to the Internet. So a typical device on port A will have the IP address of say 192.168.25.100/24 and the gateway of 192.168.25.1. The Sophos NATs the traffic out to the Internet and everyone is happy. This is a standard setup.

    However, Port C should not be part of the LAN. There is only a single device attached to port C - another router (that belongs to the tenant). That device should have the public address 125.10.10.2 (which is the other available addrss on our 125.10.10.1/30 range). So any traffic destined for that IP address (125.10.10.2) will come in on the Sophos' WAN port (port B) and straight out to the device plugged into port B. That device (tenant's router) can then do it's own natting to its own LAN. They can port forward, set firewall rule son their router etc - as if they were directly connected to the Internet (which they basically are - because the XG is not Natting theit traffic).

    I hope that is clearer - sorry for the confusion. I know this is possible on the SG as I have done it a number of times. I'm also sure it is fairly common. Especially these days when you can get a fiber connection with a /27 and have a few IPs to play with.

    Thanks again for any insight you can provide.

  • Hi,

    my answer still does not change. I would suggest you go for a bridge with your tennant network only with your existing IP range.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Luke,

    what you are describing here is generally known as bridging. If you put PortB and PortC in a bridge, then your tenant will get what you want. My advise would be to use a second WAN port for the rest, if you want to keep things straight and easy to manage them independendly from the other access you give to your tenant.

    [Edit: corrected some typos]

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Ian and Phillip for your insight.

    To clarify - I have only 1 WAN connection. I just have a /30 on the WAN connection (or a /27 or whatever). If I understand bridges correctly, bridging port B and port C will not enable the LAN on port A to communicate to the Internet - is that correct? It won't let me "split" the public IPs up and send traffic to different locations.

    What I'm trying to achieve is more a routing tweak. I want all traffic destined to 125.10.10.1 to route to the LAN on port A (with MASQ). But I want all traffic destined for 125.10.10.2 to route to port C without being natted. I don't think a bridge will do this will it?

  • Hello Luke,

    you don't need to "split" anything at your WAN side. You have a physical layer and a logical layer. You may physically have a device from your ISP with only one ethernet port. OK, but that's not limiting you how you setup your devices behínd this router or cable-modem. You may have to use a "dumb" switch to have one ethernet cable from your ISP WAN router running to that switch and two cables running to WAN1 and WAN2 of your firewall. The IP addresses are assigned to the interfaces like you wish. Example: We have two ISP Uplinks in my company, one has a network with 8 IPs the other has 16 IPs, which are going to two different interfaces at the Sophos firewall. I don't need to "split" anything, everything is done with routing. The situation you have is a little bit different, that's why I suggest a second interface for the second IP. The first interface is used with "MASQ", the second is bridged to your tenant's network.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Luke,

    you don't need to "split" anything at your WAN side. You have a physical layer and a logical layer. You may physically have a device from your ISP with only one ethernet port. OK, but that's not limiting you how you setup your devices behínd this router or cable-modem. You may have to use a "dumb" switch to have one ethernet cable from your ISP WAN router running to that switch and two cables running to WAN1 and WAN2 of your firewall. The IP addresses are assigned to the interfaces like you wish. Example: We have two ISP Uplinks in my company, one has a network with 8 IPs the other has 16 IPs, which are going to two different interfaces at the Sophos firewall. I don't need to "split" anything, everything is done with routing. The situation you have is a little bit different, that's why I suggest a second interface for the second IP. The first interface is used with "MASQ", the second is bridged to your tenant's network.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data