Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

/32 Subnet in WAN and LAN - How do I force the XG to accept the Gateway?

I have the following Problem:

 

Im trying to deploy a Sophos XG Firewall as a VM from Hetzner Online.

They give me /32 IP Adresses via DHCP.

 

Here´s a little example:

 

WAN -> IP: 123.123.123.213 - Netmask: 255.255.255.255 - Gateway: 172.31.1.1

LAN -> IP 10.10.0.2 - Netmask: 255.255.255.255 - Gateway: 10.10.0.1

 

Routing config from Hetzner Privat LAN: 0.0.0.0/0 (every IP that the Server wants to connect to)-> 10.10.0.1 (Hetzner GW) -> 10.10.0.2 (Sophos XG)

 

The Problem: If I try to make a Static Route in the XG for the Gateway LAN Interface, it says "The GW IP must be in the same Subnet as the LAN IP" -> But WHY???

I tested it with a PfSense and it worked fine. But I need to run a XG. 

 

Anybody an idea? 

 



This thread was automatically locked due to age.
Parents
  • Christopher,

    this is the correct behaviour. Your WAN IP and your gateway IP must be in the same subnet.

    Contact your ISP to modify and give you not a /32 IP address.

    Regards

  • Hi Luk,

     

    the whole Product of my ISP (Hetzner) is based on /32 IPs. All VMs become an external Gateway out of the Subnet. And It works fine. And, as I said, if I configure a PfSense Firewall with an external Gateway, it works. Even if I go into the BSD Advanced Shell of the XG Firewall and set the Routes manually, it works with the XG Firewall. But after a restart, all setting that I configured in the Shell are gone, and the XG is unreachable again.

    So theoretically it has to work. But is there no way to configure it in the Software of the XG?

  • No, I do not think so. Ips must be in the same subnet. This goes against the network layer concept.

    Yes, you can add routes via advanced shell but they will be deleted after a system restart or when a new firmware is updated.

  • .. Years over years... every time the same answer... this is not Consumer friendly.

     

    We users will use /32 subnets as gateway.... pfsense and other supports this.... but Sophos still says: "This goes against the network layer concept" an do nothing. WTF?

     

     

    All Consumer using ISP Solution with /32 Subnets are locked out. Fine. Lets try other NGFW Solutions...

  • @Administrator User14

    Yes, I agree with you! 

    Meanwhile almost all firewall manufacturers support /32 Subnets. Including pfSense and the other open Source FW's.

    Sophos has a really great firewall. But when it comes to /32 Subnets, and therefore cloud capability for most VPS Hosters, they are currently way behind...

  • Interestingly my ADSL ISPs used to assign a /32 with a gatway in a different subnet and that worked for UTM and XG, but will not work for routing.

    Deleted incorrect answer.

     

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Interestingly my ADSL ISPs used to assign a /32 with a gatway in a different subnet and that worked for UTM and XG, but will not work for routing.

    Deleted incorrect answer.

     

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Try to use SD-WAN Policy Based Routing.

    As far as i know, this should work. You can define the gateway, which has no relation to the Interface. 

    Then you place the SD-WAN policy Based Route for ANY traffic to this direction. 

    __________________________________________________________________________________________________________________