This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set an indipendent second WAN interface

Good morning,

I have two clusters of XGS 2100 in HA (Active-Passive) running with the firmware version 19.5.3 MR-3-Build652. This is my current setup in both of the clusters: 

WAN1 (ISP) > Port2

LAN > PortF1

HA > PortF2 - PortF2

As per object, in one of them, I need to set an indipendent second WAN interface (WAN2) for connecting a MPLS router that will be reachable only from a VLAN. This operation is quite simple and I made it from Network > Add Interface. I set the IP information, the WAN zone and the port.

The desired setup would be:

WAN2 (MPLS with NO Internet access) > Port4

VLAN > Port6

However, after I enable the port and I plug the cable in, that will connect the MPLS router to the Port4 of the firewall, the Load Balancing (that I don't need) starts to work and most ot my users lose the Internet access (WAN1). Even configuring the weights, for each gateway, from the WAN link manager, is not helping at all.

Furthermore, I tried to set my firewalling rules so part of the traffic gets forwarded to the WAN1 (I selected WAN from the Destination zones and Port2 from the Destination networks) and some to the WAN2 (I selected WAN from the Destination zones and Port4 from the Destination networks) but it is not working at all.

Do you have any suggestions or any idea on why this setup is not working? Please let me know if you need further information, I have been vague just to explain the main issue.

As a temporary workaround, I just created a VLAN on the switch, and on the XGS cluster, and connected the MPLS router directly to the tagged switch port. Of course, this is not sustainable and this is not the setup I want.

Thank you and have a nice day!

Best regards.



This thread was automatically locked due to age.
Parents
  • Just remove the „Gateway“ setting from this uplink. 

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    thank you for your answer. What do you mean? Once I setup the WAN interface, I cannot remove the gateway.

  • Good morning  ,

    thank you for your answer and sorry for my late reply.

    Before opening this thread I already tried what you suggested but probably there is something I did not set correctly and it did not worked.

    There is something I forgot to mention: our network devices are Ubiquiti and VLANs are managed through the Unifi Dream Machine Pro and "assigned" to the ports of the switches.

    Yesterday I tried the following setup and it did not work the same:

    VLAN 210 (Third-party Gateway), created on the UDMP's network side, tagged on ports 37 to 48 of the switch. The idea is to let the FW manage the VLAN with a DHCP server assigned to the VLAN interface.

    WAN2 (MPLS with NO Internet access) > Port4 - I connected the MPLS router to this interface in the MPLS zone. IP of the interface: 10.10.200.2 (.1 is the router)

    VLAN > Port6 - I connected the port 37 of the switch in the MPLS zone. IP of the interface: 10.10.210.1

    The VLAN on Port6 is literally a VLAN interface that I assigned to the Port6 (Port6.210) with a DHCP server binded. Then, I simply created a firewalling rule that was redirecting the traffic from Port6 to Port4 and the other way around. In this way, I think that static routes are not necessary. 

    Is there something I am missing or that I made wrong on this setup?

    Thank you for your precious support and have a nice day!

    Best regards,

    Leonardo

  • Hello Leonardo,

    did you define a gateway at WAN2?

    Please post a screenshot of your edit window of that interface.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    I improperly called it WAN2 but, as you also suggested, I did not configured the port in the WAN zone. I created a LAN zone called MPLS and I assigned it to the Port4. Then, I created a LAN zone called VLAN and I assigned to the Port6. Then, I created a gateway binded to the Port4.

    Port 4:

    Gateway binded to the Port4:

    Port 6 and Port6.210:

    The VLAN ID 210 interface is needed to the UDMP in which I tagged the VLAN 210.

    The firewalling rule simply goes from the VLAN to the MPLS. Source and Destination are Network groups and not ports. I can see that the traffic goes out from Port6 but does not reach in any way the Port4 and back.

    Am I missing something?

  • Hello Leonardo,

    can you show us the definition of "STATIC_Port4_GW" ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    sure, here you are!

    Thank you.

  • Hello Leonardo,

    that does not define a route through a gateway, as you might have thought. This is only a definition for a monitoring condition for uplinks.

    What you want is a couple of static routes through that MPLS Gateway at 10.10.200.1 poiting to the other (remote) networks behind it.

    You will need to specify the other networks in one route for each network.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Good morning  ,

    yesterday I tried to create two unicast static routes:

    From VLAN to MPLS:

    and from MPLS to VLAN:

    Anyway, routing is not working. Probably I am doing something wrong but I cannot find out what.

    Thank you!

  • 10.10.210.1/24 is a wrong network definition, have you tried it with networks like 10.10.210.0/24?

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Hello Leonardo,

    you need to define the network you want to route to, not the host.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Then you need to define the route to the 10.10.210.0 /24 network ON THE OTHER SIDE. The remote site has to knw how to reach the 210 net.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Then you need to define the route to the 10.10.210.0 /24 network ON THE OTHER SIDE. The remote site has to knw how to reach the 210 net.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Good morning Kevin, Philipp,

    thank you. After clicking on the "Save" button, the setting automatically translates the host IP in a Network IP. So, this is not the problem.

      as from the screenshots I defined both of the routes. From VLAN to MPLS and from MPLS to VLAN.Is there something wrong about it?

  • The second screenshot is from the other firewall system at the remote site?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  

    VLAN and MPLS are on the same site. Sorry for missing this information.

    The MPLS router is connected to the Port4 and the switch in which the VLAN is tagged to the port 6. The VLAN is configured from port 37 to port 48 of the switch and it is defined in the Unifi Dream Machine Pro networks as a "third-party gateway" with VID 210. 

    For this reason, I binded a VLAN interface to Port6 with VID 210. Is the setup clear now or you need further information?

  • Hi, reading back I don't quite get your setup. You have 2 ports (port 4 and port 6.210). You only have 1 MPLS router on port 4. Where is port 4 connected?
    Is it connected directly to the MPLS router or is there a switch in between? If there is a switch in between and it's port is a tagged port, then you should also have a tagged (VLAN) port on the Sophos side.

    Perhaps you could create a little drawing of your network topology because I don't quite see yet why you have two interfaces in the firewall that both have to do something for your MPLS network.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello  ,

    thank you for your answer.

    The MPLS router is directly connected to the Port4 of the firewall. There is no switch in the middle. To the Port6 of the firewall, there is a switch that has the VLAN 210 tagged from port 37 to port 48 of the switch. On these ports there are our ESXi host connected. What I want is to let some Virtual Machines reach the MPLS router. 

    As a workaround, what I am currently doing is to keep the MPLS router directly connected to the switch bypassing the firewall. But this is not a good setup neither from a security point of view nor from a logging point of view.

    If the setup is still not clear, I will prepare a short schema for you.

    Thank you for your support!

    Leonardo

  • First guess, your VLAN210 subnet should have a route to the "other side" of the MPLS tunnel but the other side of the MPLS tunnels should also have a route back to your VLAN210 subnet otherwise the return traffic will never reach you.

    Please add ip-ranges to the schema if possible.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello  ,

    here you are a quick drawing:

    Thank you!

    Leonardo

  • That is a lot clearer now. What is the gw on 10.10.200.1 ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    unluckily that router is a CPE and it is not managed from me but from my supplier. That's the problem.

  • Hi LeonardoM,

    as PhillipppRusch said, routing to local networks behind your firewall (from the perspective of the MPLS router) has to be done on the MPLS-router - unless your firewalls IP (10.10.200.2) in that network is not the default gateway for it - what I don't think.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner