Firewall rules for foreign VPN

Mathias,

can you add more details?

Where is the Wireguard network in the diagram?

If you upload a diagram, is better.

Regards

Good morning Luk,

more detailed it would look like below.

Mathias

Thanks. If I understood correctly, your users connect to both XG and Cisco Router. Users in XG cannot reach 192.168.80.1/24 network? If this is the case, from XG, you need to inform it that another network exist.

So, create a static route where the destination network is 192.168.80.1/24 where the interface is "interface where the VLAN 12 is attached) and the next hop is "192.168.12.1".

Hi Luk,

no sorry it seems that you got me wrong:

Everything is working fine: Users can reach everything as the routers are connected via OSPF in the backround.

My question is just: How can I make Sophos XG aware of that 192.168.80.0/24 subnet should be seens as a VPN zone - so I can add more granular firewall rules if needed.

As currently I think Sophos treats this connection as LAN.

Do you use VPN (IPsec) with Wireguard and which mode? Routebased or Policy Based? 

In Routebased, you would simply route the traffic to the other site through the tunnel.

In Policy Based you have to configure the local network and the remote network and the XG will take action for the routing.

Be aware of the routing precedence on XG. https://community.sophos.com/kb/en-us/123610

VPN means "Policy based". 

Do you use VPN (IPsec) with Wireguard and which mode? Routebased or Policy Based? 

In Routebased, you would simply route the traffic to the other site through the tunnel.

In Policy Based you have to configure the local network and the remote network and the XG will take action for the routing.

Be aware of the routing precedence on XG. https://community.sophos.com/kb/en-us/123610

VPN means "Policy based".