Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help routing specific device traffic across layer 2 connection

Hello there,

I’m trying and failing to route all internet traffic from device 10.5.15.20 at SITE B across the layer 2 MAN and out ISP1 WAN at SITE A.

I’m trying not to impact any other traffic at SITE B with this configuration, only internet bound traffic from 10.5.15.20 should be routed in a way that it traverses the Layer 2 MAN and is routed to the internet via ISP1 WAN at SITE A.

This layer 2 MAN from the provider is not MPLS and has no provided gateway or routes, the interfaces at both sites can ping each other across the MAN connection. It's basically a Layer 2 switch connection.

Any recommendations?

Both firewalls at each site are running SFOS v19 MR1.

Any help is appreciated!



This thread was automatically locked due to age.
Parents
  • Hi Sam Mroe,

    You can check this guide if applicable

    Route all Branch Office internet traffic through the Head Office ISP gatewayhttps://soph.so/8YUFlK

    But instead of the whole Branch network, just change the following

    Step 2. B Change the Source Network to :10.5.15.20 ( For allowing WAN on Site A)

    Services to: HTTP/HTTPS or desired Services

    Change the VPN to your L2 MAN

    Step 3. Change the Source Network to:10.5.15.20  (Blocking WAN for Site B)

    So that, only 10.5.15.20 will be affected

    *Make Sure you change the Any to only 10.5.15.20 so that no other settings will be affected.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick,

    Thanks for the reply and sorry for the delay in response.

    I attempted to follow your link and recommended changes, unfortunately I don't think this will work. Replacing the VPN with my L2 MAN doesn't build the required routes for internet traffic, nothing ends up hitting the NAT translation rule.

    Since the L2 MAN doesn't have any gateways/routes, I guess a simpler explanation is to think of the L2 MAN as a L2 switch or just a direct connection from sophos to sophos. How would I route traffic from that specific 10.5.15.20 device across that direct connection for internet access without it being system wide (static route) or requiring a gateway (SD-WAN policy routes) as the default DMZ/LAN Zone types aren't routing that traffic correctly.

    Any recommendations are greatly appreciated, thanks!

  • Hi Sam Mroe,

    I'm sorry to hear that, I would recommend you to reach out to your Sales Engineer and or Account Manager so they can assist you with this and provide all the resources you might need for implementation

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply Children
No Data