This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules for foreign VPN

Hello,

I am running a dedicated VPN server to test Wireguard.

My current network for this looks like:

[Sophos XG] === 192.168.12.0/24 === [VPN Server] === 192.168.80.0/24 [VPN Devices]

My general firewall usually consists of LAN/VPN Allow/Deny Any - but I am not sure how to add my Wireguard network to the VPN list.

Is there a way to do this?

Or is Sophos using the rules which are valid for my 192.168.12.0 subnet?

Thanks,

Mathias

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

Mathias,

can you add more details?

Where is the Wireguard network in the diagram?

If you upload a diagram, is better.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 4 years ago in reply to lferrara

Good morning Luk,

more detailed it would look like below.

Mathias
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Mathias Mühlbacher

Thanks. If I understood correctly, your users connect to both XG and Cisco Router. Users in XG cannot reach 192.168.80.1/24 network? If this is the case, from XG, you need to inform it that another network exist.

So, create a static route where the destination network is 192.168.80.1/24 where the interface is "interface where the VLAN 12 is attached) and the next hop is "192.168.12.1".
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 4 years ago in reply to lferrara

Hi Luk,

no sorry it seems that you got me wrong:

Everything is working fine: Users can reach everything as the routers are connected via OSPF in the backround.

My question is just: How can I make Sophos XG aware of that 192.168.80.0/24 subnet should be seens as a VPN zone - so I can add more granular firewall rules if needed.

As currently I think Sophos treats this connection as LAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Mathias Mühlbacher

Do you use VPN (IPsec) with Wireguard and which mode? Routebased or Policy Based?

In Routebased, you would simply route the traffic to the other site through the tunnel.

In Policy Based you have to configure the local network and the remote network and the XG will take action for the routing.

Be aware of the routing precedence on XG. https://community.sophos.com/kb/en-us/123610

VPN means "Policy based".

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Mathias Mühlbacher

Mathis,

you cannot add a network inside VPN zone.

You can apply filter rules based on source/destination network in this case. By default, networks transported by the VPN, are automatically in the VPN zone. You will not see them, but they are in.

Of course, if you have multiple VPNs, all remote networks will be in the VPN zone but to QoS or filter the traffic, use source/destination.

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 4 years ago in reply to Mathias Mühlbacher

Mathis,

you cannot add a network inside VPN zone.

You can apply filter rules based on source/destination network in this case. By default, networks transported by the VPN, are automatically in the VPN zone. You will not see them, but they are in.

Of course, if you have multiple VPNs, all remote networks will be in the VPN zone but to QoS or filter the traffic, use source/destination.

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data