Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN Alias IP for specific hosts in LAN

mftitalia

I tryed all guide in knoledgebase and forum but i'm unable to set for a specific host a specific gateway. My configuration is the following:

On the Port 2 i have connected the an FTTH (2.2.2.128/29) that have a router 2.2.2.129/29 that act as Gateway.

 

Configuration:

Port 1: WAN - Primary gateway 1.1.1.1/32 (pppoe connection)

Port 2: WAN - Secondary gateway 2.2.2.130/29 + Alias 2.2.2.131 / 132 / 133 / 134

---------------

Lan 192.168.1.1/24

I wish the host 192.168.1.93 use only the gateway 2.2.2.131 for incoming and for outgoing

----------------

In Firewall, i added a "user/network rule" ad following:

----------------------------------------

The host 192.168.1.93 is unable to ping either browsing, i cannot understand what else i have to do to make it works.

 

Can someone help me with detailed procedure pls?



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Your rule configuration is fine for outbound traffic. Any traffic generated from machine 192.168.1.93 towards WAN zone will be NAT by IP 2.2.2.131 based on rule settings.

    What is the output of packet request and drop packets on XG while you are browsing traffic from machine 192.168.1.93 ?

    command for packet request:

    console > tcpdump 'host X.X.X.X.

    where X.X.X.X is the outside  Public IP for which you are checking PING from 1.93 machine ( Like 8.8.8.8 or 4.2.2.2)

    command for drop packet

    console > drop 'host X.X.X.X

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Thanks for support! =)

     

    The problem is that 192.168.1.93 is unable to ping and is unable to browsing... no way to comunicate with internet

    Tracert end to firewall ip 192.168.1.1

     

    The output of the command is strange... look like the sophos wont answer the arp

    Console > tcpdump 'host 2.2.2.131.

    12:37:53.204067 Port2, OUT: IP 2.2.2.131 > 8.8.8.8: ICMP echo request, id 1,
     seq 1750, length 40                                                            
    12:37:58.204300 Port2, OUT: IP 2.2.2.131 > 8.8.8.8: ICMP echo request, id 1,
     seq 1751, length 40                                                            
    12:37:58.226668 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46                                                                     
    12:38:03.204689 Port2, OUT: IP 2.2.2.131 > 8.8.8.8: ICMP echo request, id 1,
     seq 1752, length 40                                                            
    12:38:03.227238 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46            

    Btw this is the ports configuration:

    Could be this the problem?

     

    Command:

    Console > drop 'host 2.2.2.131

    doen't say nothing... 

    console> drop 'host 2.2.2.131                                               
                                                                                    
     

     

  • 0 in reply to mftitalia

    Hi  

    Thanks for sharing the packet request and drop packets.

    From the packets it has been observed the issue is with WAN router. There is an ARP connectivity problem between XG and WAN router 2.2.2.129 for alias IP 2.2.2.131.

    In packet request it is giving message who has 2.2.2.131 tell 2.2.2.129. Which means 2.2.2.129 doesn't have ARP or connectivity for 2.2.2.131.

    Is there any chance to reboot the router connected on Port2 to re learn the ARP of IPs and that may fix this issue.

    Please check the Internet after reboot of WAN Port2 router and confirm the tcpdump if still it is giving ARP issue or not.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    =(

    After reboot:

    console> tcpdump 'host 2.2.2.131.                                           
    tcpdump: Starting Packet Dump                                                   
    13:21:48.335365 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46                                                                     
    13:21:51.668108 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46                                                                     
  • 0 in reply to mftitalia

    Sorry i misunderstood.. i restarted the firewall before, now i restarted the Cisco of the FTTH... i will know you what happen

  • 0 in reply to Vishal_R

    Same condition:

     

    I restarted Sophos and restarted Cisco, the situation is the same:

     

    13:32:30.426581 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46                                                                     
    13:32:43.396830 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46                                                                     
    13:33:05.908182 Port2, IN: ARP, Request who-has 2.2.2.131 tell 2.2.2.129
    , length 46

     

    I tryed to connect a notebook with static IP 2.2.2.131/29 and the notebook works, it can browsing using 2.2.2.131 so the problem cannot be the Cisco.. at least i think..

  • 0 in reply to mftitalia

    Hi  

    You may check and confirm below step as well if there is any possibility to interrupt current setup & settings for a while. 

    Note: Please take a backup of current configuration before below changes.

    ================================

    a)Please delete Alias of 2.2.2.131 from Port2 settings.

    b)On Port2 main interface settings assign 2.2.2.131 IP( in place of 2.2.2.130) with other settings as it is and on existing rule of system 192.168.1.93, select NAT with "MASQ" and confirm gateway status green or RED with this setup. If gateway gets green then ARP is getting learned and you may confirm via below console command as well.

    console> sy dia uti arp sh 2.2.2.131

    c)If still issue there then you may try by changing the Interface of XG to confirm is it working with another Interface or not. ( Note : While configuring another Interface with network 2.2.2.X, you need to wiped out settings of Port2 ).

    =========================

    If all above fails then revert setting to original and log a support case to conclude it further.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    After resetted and reconfigured the interface, both on door 2 and on door 5, everythings work... no comment... is not possibile to have this kind of problems...

Reply Children
No Data
Unfiltered HTML