Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connecting RED's to XG when using BGP

Hello,

 

I am wondering if anyone has setup an XG using BGP and has RED's connected to it? Since there are no ACL's for the RED service ports, how can the XG accepts RED's from a BGP IP address that is not on a WAN port? There is no gateway address either so the XG does not have an interface in the BGP IP block. It only has point to point connections to each ISP using /30's.

 

This is a multi-hop BGP setup to 2 different ISP's, advertising a /22. Any info would be greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hi  

    As per the information provided you want to configure RED device and XG firewall connectivity using BGP, please correct me.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Yes, I want the RED's to connect back to one of the IP's on our /22 public block that will be routed via BGP.

  • Still not clear.

    Why should the RED not be able to connect to your IP? 

    Your IP 205.12.34.123 is reachable via BGP and is a IP based on your XG (One of your Interfaces). 

    If this IP went down, the Interface still holds this IP - So basically the IP is still reachable via other route to your XG.

    Why should those Packets from RED not reach the XG? 

     

    You said, you are not getting any IP assigned by ISP, instead you are holding your own IPs and simply publishing your routes to ISP via BGP. 

    So basically your IPs are static? So because of link local loop back interfaces, the XG will respond always to your static IPs. 

    __________________________________________________________________________________________________________________

  • No, in this example, 205.12.34.123 is an IP in our BGP block. Not on an interface on the XG. That is the whole problem.

  • So you do not hold own IPs? 

    Are those leased IPs, which you are allowed to publish through BGP? 

    What are you using exactly? 

     

    But nevertheless, still the fact: 

    You are getting a block of IPs, As said, RED supports only two different IPs as hostname. 

    So ether use two of those IPs in your block or use a DNS service. 

     

    __________________________________________________________________________________________________________________

  • Please listen to what I am saying. We have our own block of IP's. A /22 block.

    We advertise those to 2 different ISP's using BGP.

    The /22 block is NOT on any interface on the XG. The only interfaces are 2 DMZ interfaces that have /30 IP's for the PTP links to the carriers provider edge routers.

    How can we get the XG to listen to services (RED, SSLVPN, IPSEC VPN, etc,) on any IP out of the /22 block?

  • Simply create all IPs on the DMZ Interfaces as Alias, because they are Alias. Otherwise the IP is not sitting on the XG and is not usable by XG.

    Without a Interface / Alias, XG has no reason to answer any ARP Requests for this interface. 

    But having same IPs as Alias on two different interfaces is not practicable. This will cause loops. 

    __________________________________________________________________________________________________________________

  • You are wrong. You do not put the IP as aliases when using BGP. The IP's are usable because they are in the routing table. Again, everything works fine as it is setup now, except the XG will not listen for services.

    Is there another Sophos engineer that can respond that understands BGP?

  • Thats an open Community, i am basically answering as a privat person.

     

    You should get in touch with your sophos SE or open a Case, if the XG is not answering on the services. 

    I would assume to use the IPs on the Alias interface (loopback) to get the service react to the IPs and requests. Otherwise there is no need to respond to any of those packets. 

    __________________________________________________________________________________________________________________

  • PS: I assume you are using the /22 behind XG and simple route the traffic to your DMZ? 

    XG is properly forwarding the traffic to the DMZ and all IPs of your /22 is placed in your DMZ? 

    So most likely you need to choose one or two IPs of your /22 and place it on your XG. Most likely on the DMZ interface (LAG?). 

    Otherwise the XG will not pickup those packets. 

    This will work for SSLVPN and RED. IPsec VPN needs a WAN Zone Interface, so most likely you cannot use it in this scenario. 

    __________________________________________________________________________________________________________________

  • You cannot put any of the IP's on an interface. I don't know why you can't understand that.

    The fact that IPSEC cannot use a BGP address is a HUGE flaw in XG. Just add it to another reason people are leaving Sophos for other vendors. A $100 MikroTik router can handle BGP properly. 

  • Could you show me your network topology? 

    Basically you are talking with two Interfaces with both ISPs and one Interface to your internal (DMZ) network, which hosts all your servers. 

    Those servers hold your public IP /22? 

     

    Xg routes the traffic by the internet to the servers and publish all routes to the internet, correct? 

    So you should be able to place the IP of some of those /22 networks on your XG.

    Like this person is asking: https://community.sophos.com/products/xg-firewall/f/network-and-routing/103884/bgp-loopback-best-practice-on-sophos?pi2147=26

    Or this: https://www.reddit.com/r/sophos/comments/8uotz4/sophos_xg_bgp_failover_and_wan_alias_for_port/

     

     

     

    __________________________________________________________________________________________________________________

Reply Children
  • I have 2 interfaces that are PTP links to ISP routers, as I have said numerous times. I then have an internal LAN interface.

    You cannot put any of the /22 on the interfaces for the PTP links as there is no redundancy if you do. If that interface goes down, so does that IP.

    Both of those post are exactly what I am trying to do. Neither got answered.

  • And i am not talking about your PTP Interfaces to ISP.

    I am talking to your LAN interface, which links your Network with the /22 to the Internet, isnt it? 

    Or why do you have a /22 in the first place? 

    You are using this /22 for something? 

    There are servers, which have all those IPs of the /22? 

     

    Both posts are using a internal DMZ with public IPs and publish all IPs through XG via BGP to ISP.

    So basically you put a Loop back interface in place and put the wanted IP on the XG via Alias. 

    __________________________________________________________________________________________________________________

  • You are not listening.

    I am not talking about servers behind the firewall.

    I am talking about the XG listening for services on an IP address that is in the block of the /22.

  • Please provide a Network map on your setup.

    Otherwise i cannot follow your setup, because i cannot provide anykind of suggestion. 

    Maybe with some screenshots, if you do not have a topology. 

    __________________________________________________________________________________________________________________