Help routing specific device traffic across layer 2 connection

Hello there,

I’m trying and failing to route all internet traffic from device 10.5.15.20 at SITE B across the layer 2 MAN and out ISP1 WAN at SITE A.

I’m trying not to impact any other traffic at SITE B with this configuration, only internet bound traffic from 10.5.15.20 should be routed in a way that it traverses the Layer 2 MAN and is routed to the internet via ISP1 WAN at SITE A.

This layer 2 MAN from the provider is not MPLS and has no provided gateway or routes, the interfaces at both sites can ping each other across the MAN connection. It's basically a Layer 2 switch connection.

Any recommendations?

Both firewalls at each site are running SFOS v19 MR1.

Any help is appreciated!



Edited Tags
[edited by: Erick Jan at 6:59 AM (GMT -7) on 7 Sep 2022]

Top Replies

  • Hi Sam Mroe,

    You can check this guide if applicable

    Route all Branch Office internet traffic through the Head Office ISP gatewayhttps://soph.so/8YUFlK

    But instead of the whole Branch network, just change the following

    Step 2. B Change the Source Network to :10.5.15.20 ( For allowing WAN on Site A)

    Services to: HTTP/HTTPS or desired Services

    Change the VPN to your L2 MAN

    Step 3. Change the Source Network to:10.5.15.20  (Blocking WAN for Site B)

    So that, only 10.5.15.20 will be affected

    *Make Sure you change the Any to only 10.5.15.20 so that no other settings will be affected.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick,

    Thanks for the reply and sorry for the delay in response.

    I attempted to follow your link and recommended changes, unfortunately I don't think this will work. Replacing the VPN with my L2 MAN doesn't build the required routes for internet traffic, nothing ends up hitting the NAT translation rule.

    Since the L2 MAN doesn't have any gateways/routes, I guess a simpler explanation is to think of the L2 MAN as a L2 switch or just a direct connection from sophos to sophos. How would I route traffic from that specific 10.5.15.20 device across that direct connection for internet access without it being system wide (static route) or requiring a gateway (SD-WAN policy routes) as the default DMZ/LAN Zone types aren't routing that traffic correctly.

    Any recommendations are greatly appreciated, thanks!

  • Hi Sam Mroe,

    I'm sorry to hear that, I would recommend you to reach out to your Sales Engineer and or Account Manager so they can assist you with this and provide all the resources you might need for implementation

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi  Sam Mroe

    I have tried your network scenario to route 10.5.15.20 with Site A ISP1 and it worked in my LAB with the Source link: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr 

    Below are steps taken to achieve your requirement : 

    1. Checked Ping connectivity with DMZ Zone at Site A and Site B 

    Site A 

    Site B 

    2. Created Gateway by ADD under Configure -->Network -->Routing -->Gateways at Site B.

    3. Created an SD-WAN rule to route the traffic of 10.5.15.20 with DMZ Gateway at Site B.

    4. Created a Firewall rule from LAN-DMZ at Site B : 

    5. Created static route for 10.5.15.0/24 at Site A : 

    6. Created a Firewall rule from DMZ-WAN at Site A : 

    7. Created SD-WAN rule to route 10.5.15.20 system traffic with ISP1 at Site A

    Trace route result from 10.5.15.20 system at site B

    Packet capture from Site B

    Packet Capture from Site A : 

    At Site A, for the rest of the LAN network, I have used the feature of SD-WAN to route the networks with ISP2 and ISP1 respectively 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.



    updated
    [edited by: Bharat J at 11:31 AM (GMT -7) on 17 Sep 2022]
  • Sorry for the delay, but yes great answer and I appreciate you building this out and sharing it on the forum. Hopefully it helps future Sophos users if they run across a similar use case.

    This is exactly the solution I ended up building a month ago with a bit of guidance from support (they recommended SD-WAN at site B and static route at site A and I figured out the rest through trial and error). It's working well and we've actually expanded this to 4 distinct sites with similar connectivity.

    Thanks again!

  • Hi Sam Mroe 

    Thanks for the update

    I have checked with Dynamic routing (OSPF and BGP) and SD-WAN it worked well.

    And I have found with a static route with HA, I have to update the static route in case HA failover , dynamic routing is the fix for me.

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.