RED tunnel - software v.s. hardware

Using a RED Site to Site Tunnel will cause problems, if you use a static route with gateway routes. 

Did you generate any kind of routes or is your entire routing based on the VLANs, which are extended by the bridge? 

In general, the RED protocol works the same on hardware and software. But you created a bridge, correct? 

Please learn what is layer 2. RED is pure L2 tunnel. There is no needed any routing, any IP. Only you need bridge RED interface to physical interface and allow traffic by firewall.  The result is just like you have put very long RJ45 cat cable between devices. It can be managed in switches level, without any IP or routing. You can use VLANs. VLANs also go through tunnel, only you need make VLAN interface both in tunnel and physical nic side and then bridge them, as without it sophos device accepts only untaged traffic..

Why you then waste my time if you dont use Sophos RED products?

I waste your tme?!?

Don‘t be impertinent!

Yes, you just waste my time, nothing more.

But yes, Sophos XG bridge is not "pure bridge", but it makes arp relay. You cant see MAC addresses from other side of bridge, only see bridge MAC. But this dont make sense in RED aspect of view. RED is still pure L2  and passthrough VLANs. RED is also some kind of bridge. It can only work or not work, there is no half-working state. But there exists also lots of bridges without MAC addresses and without arp relays. Example Sophios UTM, Mikrotik, Pfsense, CheckPoint, Palo Alto etc. They just transfer all packets to other side, withou MAC interaction with arp relay. But Sophos XG bridge can also do more than example Palo Alto. It can route L2 packets to L3 interface (when source have no acknowledge about L3 interface at all). Ist like "by force" packets translation. Mikrotik bridge is also very powerful - it can make NAT for MAC addresses. Every products bridge is unique and different from other products. Bridges can be implemented very different ways. But this have nothing to do with RED.   

I will agree with the other's you are being a bit rude for a community forum, but I will try to give you an answer. I don't completely understand your issue, but I will try to help.

RED is a proprietary layer 2 protocol to mimic a point to point layer 2 connection. It is not identical to plugging a cable in between devices, but's it's damn good at what it does for traversing layer 3 devices. It does require MAC addresses though, using ARP proxy or broadcast.

RED can pass MAC's over the tunnel. I have plenty of tunnels setup that do. Small sites have a vlan that is a bridge of another vlan on the main Sophos device. They operate as if they are on the same network. This is all based on using RED devices, like RED50.

RED S2S is a little different. It doesn't matter if you are using a software appliance or hardware. SFOS does not like bridging networks that exists on 2 different SFOS appliances in my experience. I always just create a /30 for the P2P interface and route the traffic between firewalls. It's cleaner in the end. You are not sending broadcast and multicast traffic over the tunnel, using up your bandwidth. This works with hardware appliances or software.

Sophos has sales engineers that will help you evaluate this setup. They can get high level engineers involved if needed. If your plan is to try to run XG home in production, I would advise against it. It's against the license terms and isn't supported. You can run the trial version of XG for fully supported configs.

Mike

Its not against license terms. I get license from Sophos, for XG Home. But have you tested RED tunnel? Between software server (running on Vmware, Hyper-V or plain PC) and software client?  Do VLAN-s works?

It is against the terms if you use XG home in a production environment, regardless if you officially downloaded it from Sophos. Sophos provides trail license for proof of concept setups and provides resellers with NFR licenses to test with. XG home licenses were never meant for users to try out production setups. They are meant for home users to run XG in their home network to learn the product. I'm not the license police, so I don't care, just wanted to inform you.

Yes, I run multiple software appliances and hardware. Software appliances are primarily on Hyper-V, but some are on VMWare. There is no difference between them. Software appliances may run a little faster if you have fast host processors vs the equivalent appliance.

VLAN's work fine for all, but I use a /30 P2P address for the RED interface and add the VLAN's to that interface after the tunnel is up. I do not use layer2 on site to site tunnels. I either use static routing or OSPF pointing to the RED interface IP on both sides. I only use layer2 when using a RED device.

Typically, if you have a SFOS appliance on both side (software or hardware) it is better to route the traffic. Again, you "can" bridge the vlans so both sites operate as the same network, but I highly recommend you don't do this. The Linux OS underneath can get confused by the routes being injected and any diagnostics in the future are hindered.

Any reason you can't use layer 3 routing over the layer 2 RED tunnel? What is your end goal? Knowing the full setup may help to see if RED is even the right option.

But I am home user. I dont have any company here. I am pensioner. My firewall is in my kichen. Do you want picture? I can make picture from my home and firewall........ VLANs are L2. If you dont use L2, then there are no any VLANs. VLANs dont need IP addresses and routing. So, seems you havent at all tested layer 2 RED with VLANs, without IPs, between 2 software XG. Can you please test this and post result. ........No, its not better to route traffic. Routed traffic cant connect devices directly, only through gateway. Example I have devices with gateways to some other firewall or router, then they cant communicate,  because traffic goes to wrong gateway. I must make then static route to every device, but this goes to abnormal configuration. But my main reason why I need L2 RED, is other. I have in city TV service provider digibox. It works only in fixed location and dont allow any routing. Now I put L2 RED tunnel between city home and my countryside and watch TV there without problems. I already tested this. L2 RED works only when server side is hardware XG (I have one). Many years ago I tested this also with Sophos UTM. And UTM allows to use software server side. But today UTM dont present anymore free RED for home users.

You are mixing up so many things.

First of all. The Software (OS) is the same. There is literally no difference in the OS between a hyper-v managed installation and a installation on a Sophos owned component. 

But there could be an issue on other parts of your installations. First of all, you should check your registration (and with that your license). If you license is not in the state "sub scripted", modules will not work as intended. If you deffer to register the Appliance, it will not work. 

RED is completely based on certificates. In another thread you point out, you have NTP out (For no reason?). Without a correct time sync, the Tunnel could be broken.

And again: It does not matter, what kind of appliance installation you use. If the hyper-V installation is corrupt (has issues) it will not work. That has no implication on the installation you use. 

You could go down the road and use a Sophos UTM home: https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-home-edition It is also available. 

What license you talk about? Sophos XG Home license is sent by email right after download . What is "correct time"?  And I ask again - have you at all tested software RED server with software RED client?  Do your VLANs worked? 

What license you talk about? Sophos XG Home license is sent by email right after download . What is "correct time"?  And I ask again - have you at all tested software RED server with software RED client?  Do your VLANs worked?