Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 3595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migration of Entire Network to Gateway on Different Physical Port/IP Schema - 2 Lan Ports with Different Addresses/Subnets

Nick Goad

So here is the deal - I have an entire network of devices (switches, APs, computers, laptops, servers, printers, IoTs) that was all built on a /16 subnet using public IP space and it is all just using default VLAN/VLAN 1.

176.100.x.x/16.  It is slow congested and woefully inefficient.  Obviously it needs to be broken up into VLANs but my problem is that it is simply too many things to migrate over a weekend and it will take me weeks, maybe months to get it all done.

Right now Port 1 on my XG3300 firewall is set to 176.100.203.1/16 and that is the default gateway for EVERYTHING in the company and it is plugged into port 1 on my core switch that feeds all the other switches/APs.

I want to get everything moved to a 192.168.<vlan>.<device> schema and i'm trying to figure out the best way to do that.

Port 4 and 5 are load balanced WAN links to two different ISPs and port 6 is also in the LAN zone as it goes to a provider managed router and subsequently to a managed/Metro E network to remote sites.

If I give port 2 on the firewall an address of 192.168.1.1 and plug it into port 2 on my core switch will I theoretically be able to use EITHER 192.168.1.1 OR 176.100.203.1 as a default gateway on a computer or printer or switch management port and have it work the same?

At the end of the day what I really need is to have 2 gateways in my LAN simultaneously going that give the same access to the same resources until I can get everything moved to the correct one and then build VLAN/Zone based rules.



This thread was automatically locked due to age.
  • 0

    Hello Nick,

    Thank you for contacting the Sophos Community.

    Most likely, you won't use it, but since you are fixing the network, stay away from 192.168.0 and 192.168.1, as those are the IPs used for 99% of homes worldwide.

    Having two gateways serving the same subnet simultaneously is generally not recommended, as it can cause confusion and potential routing issues. However, if it's a temporary measure and you know the potential risks, it should be okay if you manage it carefully.

    You could use a new port in the Sophos Firewall with 192.168.254.1 and a new port in your switch, basically have two broadcast domains, and use a small set of devices, for testing, such as maybe a Laptop reaching a Printer in the new subnet.

    You would need to create a new LAN to LAN Firewall rule. 

    Just be careful with the static routes set in your Core Switch to avoid asymmetric routing.

    In any case, I recommend you contact our Professional Services team, so they can assist you with your segmentation and routing setup.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Yeah I was going to make the physical port 192.168.100.x for network management subnet then attach vlans 101-140 with corresponding subnets for device types/wifi network etc.

    It would only be creating a /24 broadcast domain so I don't think it would tax the network too much just during the transition but i'll give it a shot and see what happens.  if it works then that's the solution and I'll be all good.

    I haven't really messed with bridging the ports on Sophos firewalls so I didn't know if I could somehow utilize that feature to my advantage in this situation.

Unfiltered HTML