Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules for foreign VPN

Hello,

 

I am running a dedicated VPN server to test Wireguard.

My current network for this looks like:

[Sophos XG] === 192.168.12.0/24 === [VPN Server] === 192.168.80.0/24 [VPN Devices]

 

My general firewall usually consists of LAN/VPN Allow/Deny Any - but I am not sure how to add my Wireguard network to the VPN list.

Is there a way to do this?

 

Or is Sophos using the rules which are valid for my 192.168.12.0 subnet?

 

Thanks,

Mathias



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks. If I understood correctly, your users connect to both XG and Cisco Router. Users in XG cannot reach 192.168.80.1/24 network? If this is the case, from XG, you need to inform it that another network exist.

    So, create a static route where the destination network is 192.168.80.1/24 where the interface is "interface where the VLAN 12 is attached) and the next hop is "192.168.12.1".

  • Hi Luk,

     

    no sorry it seems that you got me wrong:

    Everything is working fine: Users can reach everything as the routers are connected via OSPF in the backround.

    My question is just: How can I make Sophos XG aware of that 192.168.80.0/24 subnet should be seens as a VPN zone - so I can add more granular firewall rules if needed.

    As currently I think Sophos treats this connection as LAN.

  • Do you use VPN (IPsec) with Wireguard and which mode? Routebased or Policy Based? 

    In Routebased, you would simply route the traffic to the other site through the tunnel.

    In Policy Based you have to configure the local network and the remote network and the XG will take action for the routing.

    Be aware of the routing precedence on XG. https://community.sophos.com/kb/en-us/123610

    VPN means "Policy based". 

    __________________________________________________________________________________________________________________

  • Mathis,

    you cannot add a network inside VPN zone.

    You can apply filter rules based on source/destination network in this case. By default, networks transported by the VPN, are automatically in the VPN zone. You will not see them, but they are in.

    Of course, if you have multiple VPNs, all remote networks will be in the VPN zone but to QoS or filter the traffic, use source/destination.

    Regards