Connecting RED's to XG when using BGP

Hi MichaelBolton 

As per the information provided you want to configure RED device and XG firewall connectivity using BGP, please correct me.

Yes, I want the RED's to connect back to one of the IP's on our /22 public block that will be routed via BGP.

No, in this example, 205.12.34.123 is an IP in our BGP block. Not on an interface on the XG. That is the whole problem.

So you do not hold own IPs? 

Are those leased IPs, which you are allowed to publish through BGP? 

What are you using exactly? 

But nevertheless, still the fact: 

You are getting a block of IPs, As said, RED supports only two different IPs as hostname. 

So ether use two of those IPs in your block or use a DNS service. 

Please listen to what I am saying. We have our own block of IP's. A /22 block.

We advertise those to 2 different ISP's using BGP.

The /22 block is NOT on any interface on the XG. The only interfaces are 2 DMZ interfaces that have /30 IP's for the PTP links to the carriers provider edge routers.

How can we get the XG to listen to services (RED, SSLVPN, IPSEC VPN, etc,) on any IP out of the /22 block?

Simply create all IPs on the DMZ Interfaces as Alias, because they are Alias. Otherwise the IP is not sitting on the XG and is not usable by XG.

Without a Interface / Alias, XG has no reason to answer any ARP Requests for this interface. 

But having same IPs as Alias on two different interfaces is not practicable. This will cause loops. 

You are wrong. You do not put the IP as aliases when using BGP. The IP's are usable because they are in the routing table. Again, everything works fine as it is setup now, except the XG will not listen for services.

Is there another Sophos engineer that can respond that understands BGP?

Thats an open Community, i am basically answering as a privat person.

You should get in touch with your sophos SE or open a Case, if the XG is not answering on the services. 

I would assume to use the IPs on the Alias interface (loopback) to get the service react to the IPs and requests. Otherwise there is no need to respond to any of those packets. 

PS: I assume you are using the /22 behind XG and simple route the traffic to your DMZ? 

XG is properly forwarding the traffic to the DMZ and all IPs of your /22 is placed in your DMZ? 

So most likely you need to choose one or two IPs of your /22 and place it on your XG. Most likely on the DMZ interface (LAG?). 

Otherwise the XG will not pickup those packets. 

This will work for SSLVPN and RED. IPsec VPN needs a WAN Zone Interface, so most likely you cannot use it in this scenario. 

You cannot put any of the IP's on an interface. I don't know why you can't understand that.

The fact that IPSEC cannot use a BGP address is a HUGE flaw in XG. Just add it to another reason people are leaving Sophos for other vendors. A $100 MikroTik router can handle BGP properly. 

Could you show me your network topology? 

Basically you are talking with two Interfaces with both ISPs and one Interface to your internal (DMZ) network, which hosts all your servers. 

Those servers hold your public IP /22? 

Xg routes the traffic by the internet to the servers and publish all routes to the internet, correct? 

So you should be able to place the IP of some of those /22 networks on your XG.

Like this person is asking: https://community.sophos.com/products/xg-firewall/f/network-and-routing/103884/bgp-loopback-best-practice-on-sophos?pi2147=26

Or this: https://www.reddit.com/r/sophos/comments/8uotz4/sophos_xg_bgp_failover_and_wan_alias_for_port/

I have 2 interfaces that are PTP links to ISP routers, as I have said numerous times. I then have an internal LAN interface.

You cannot put any of the /22 on the interfaces for the PTP links as there is no redundancy if you do. If that interface goes down, so does that IP.

Both of those post are exactly what I am trying to do. Neither got answered.

I have 2 interfaces that are PTP links to ISP routers, as I have said numerous times. I then have an internal LAN interface.

You cannot put any of the /22 on the interfaces for the PTP links as there is no redundancy if you do. If that interface goes down, so does that IP.

Both of those post are exactly what I am trying to do. Neither got answered.

And i am not talking about your PTP Interfaces to ISP.

I am talking to your LAN interface, which links your Network with the /22 to the Internet, isnt it? 

Or why do you have a /22 in the first place? 

You are using this /22 for something? 

There are servers, which have all those IPs of the /22? 

Both posts are using a internal DMZ with public IPs and publish all IPs through XG via BGP to ISP.

So basically you put a Loop back interface in place and put the wanted IP on the XG via Alias. 

You are not listening.

I am not talking about servers behind the firewall.

I am talking about the XG listening for services on an IP address that is in the block of the /22.

Please provide a Network map on your setup.

Otherwise i cannot follow your setup, because i cannot provide anykind of suggestion. 

Maybe with some screenshots, if you do not have a topology.