Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connecting RED's to XG when using BGP

Hello,

 

I am wondering if anyone has setup an XG using BGP and has RED's connected to it? Since there are no ACL's for the RED service ports, how can the XG accepts RED's from a BGP IP address that is not on a WAN port? There is no gateway address either so the XG does not have an interface in the BGP IP block. It only has point to point connections to each ISP using /30's.

 

This is a multi-hop BGP setup to 2 different ISP's, advertising a /22. Any info would be greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hi  

    As per the information provided you want to configure RED device and XG firewall connectivity using BGP, please correct me.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Yes, I want the RED's to connect back to one of the IP's on our /22 public block that will be routed via BGP.

  • The RED cannot connect to any of the IP addresses in our block.

    If it could, lets say 205.12.34.123, if the peering went down with one ISP, the other ISP would have the route to that address. It is the basics of BGP. I am not understanding why you can't understand how BGP works.

    I need the XG to respond to services on a BGP address block. It is as simple as that. I cannot use an address on the PTP link with either ISP.

  • Still not clear.

    Why should the RED not be able to connect to your IP? 

    Your IP 205.12.34.123 is reachable via BGP and is a IP based on your XG (One of your Interfaces). 

    If this IP went down, the Interface still holds this IP - So basically the IP is still reachable via other route to your XG.

    Why should those Packets from RED not reach the XG? 

     

    You said, you are not getting any IP assigned by ISP, instead you are holding your own IPs and simply publishing your routes to ISP via BGP. 

    So basically your IPs are static? So because of link local loop back interfaces, the XG will respond always to your static IPs. 

    __________________________________________________________________________________________________________________

  • No, in this example, 205.12.34.123 is an IP in our BGP block. Not on an interface on the XG. That is the whole problem.

  • So you do not hold own IPs? 

    Are those leased IPs, which you are allowed to publish through BGP? 

    What are you using exactly? 

     

    But nevertheless, still the fact: 

    You are getting a block of IPs, As said, RED supports only two different IPs as hostname. 

    So ether use two of those IPs in your block or use a DNS service. 

     

    __________________________________________________________________________________________________________________

  • Please listen to what I am saying. We have our own block of IP's. A /22 block.

    We advertise those to 2 different ISP's using BGP.

    The /22 block is NOT on any interface on the XG. The only interfaces are 2 DMZ interfaces that have /30 IP's for the PTP links to the carriers provider edge routers.

    How can we get the XG to listen to services (RED, SSLVPN, IPSEC VPN, etc,) on any IP out of the /22 block?

  • Simply create all IPs on the DMZ Interfaces as Alias, because they are Alias. Otherwise the IP is not sitting on the XG and is not usable by XG.

    Without a Interface / Alias, XG has no reason to answer any ARP Requests for this interface. 

    But having same IPs as Alias on two different interfaces is not practicable. This will cause loops. 

    __________________________________________________________________________________________________________________

  • You are wrong. You do not put the IP as aliases when using BGP. The IP's are usable because they are in the routing table. Again, everything works fine as it is setup now, except the XG will not listen for services.

    Is there another Sophos engineer that can respond that understands BGP?

  • Thats an open Community, i am basically answering as a privat person.

     

    You should get in touch with your sophos SE or open a Case, if the XG is not answering on the services. 

    I would assume to use the IPs on the Alias interface (loopback) to get the service react to the IPs and requests. Otherwise there is no need to respond to any of those packets. 

    __________________________________________________________________________________________________________________

  • PS: I assume you are using the /22 behind XG and simple route the traffic to your DMZ? 

    XG is properly forwarding the traffic to the DMZ and all IPs of your /22 is placed in your DMZ? 

    So most likely you need to choose one or two IPs of your /22 and place it on your XG. Most likely on the DMZ interface (LAG?). 

    Otherwise the XG will not pickup those packets. 

    This will work for SSLVPN and RED. IPsec VPN needs a WAN Zone Interface, so most likely you cannot use it in this scenario. 

    __________________________________________________________________________________________________________________

  • You cannot put any of the IP's on an interface. I don't know why you can't understand that.

    The fact that IPSEC cannot use a BGP address is a HUGE flaw in XG. Just add it to another reason people are leaving Sophos for other vendors. A $100 MikroTik router can handle BGP properly. 

Reply
  • You cannot put any of the IP's on an interface. I don't know why you can't understand that.

    The fact that IPSEC cannot use a BGP address is a HUGE flaw in XG. Just add it to another reason people are leaving Sophos for other vendors. A $100 MikroTik router can handle BGP properly. 

Children