Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set an indipendent second WAN interface

Good morning,

I have two clusters of XGS 2100 in HA (Active-Passive) running with the firmware version 19.5.3 MR-3-Build652. This is my current setup in both of the clusters: 

WAN1 (ISP) > Port2

LAN > PortF1

HA > PortF2 - PortF2

As per object, in one of them, I need to set an indipendent second WAN interface (WAN2) for connecting a MPLS router that will be reachable only from a VLAN. This operation is quite simple and I made it from Network > Add Interface. I set the IP information, the WAN zone and the port.

The desired setup would be:

WAN2 (MPLS with NO Internet access) > Port4

VLAN > Port6

However, after I enable the port and I plug the cable in, that will connect the MPLS router to the Port4 of the firewall, the Load Balancing (that I don't need) starts to work and most ot my users lose the Internet access (WAN1). Even configuring the weights, for each gateway, from the WAN link manager, is not helping at all.

Furthermore, I tried to set my firewalling rules so part of the traffic gets forwarded to the WAN1 (I selected WAN from the Destination zones and Port2 from the Destination networks) and some to the WAN2 (I selected WAN from the Destination zones and Port4 from the Destination networks) but it is not working at all.

Do you have any suggestions or any idea on why this setup is not working? Please let me know if you need further information, I have been vague just to explain the main issue.

As a temporary workaround, I just created a VLAN on the switch, and on the XGS cluster, and connected the MPLS router directly to the tagged switch port. Of course, this is not sustainable and this is not the setup I want.

Thank you and have a nice day!

Best regards.



This thread was automatically locked due to age.
Parents
  • Just remove the „Gateway“ setting from this uplink. 

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    thank you for your answer. What do you mean? Once I setup the WAN interface, I cannot remove the gateway.

  • Hi, reading back I don't quite get your setup. You have 2 ports (port 4 and port 6.210). You only have 1 MPLS router on port 4. Where is port 4 connected?
    Is it connected directly to the MPLS router or is there a switch in between? If there is a switch in between and it's port is a tagged port, then you should also have a tagged (VLAN) port on the Sophos side.

    Perhaps you could create a little drawing of your network topology because I don't quite see yet why you have two interfaces in the firewall that both have to do something for your MPLS network.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello  ,

    thank you for your answer.

    The MPLS router is directly connected to the Port4 of the firewall. There is no switch in the middle. To the Port6 of the firewall, there is a switch that has the VLAN 210 tagged from port 37 to port 48 of the switch. On these ports there are our ESXi host connected. What I want is to let some Virtual Machines reach the MPLS router. 

    As a workaround, what I am currently doing is to keep the MPLS router directly connected to the switch bypassing the firewall. But this is not a good setup neither from a security point of view nor from a logging point of view.

    If the setup is still not clear, I will prepare a short schema for you.

    Thank you for your support!

    Leonardo

  • First guess, your VLAN210 subnet should have a route to the "other side" of the MPLS tunnel but the other side of the MPLS tunnels should also have a route back to your VLAN210 subnet otherwise the return traffic will never reach you.

    Please add ip-ranges to the schema if possible.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello  ,

    here you are a quick drawing:

    Thank you!

    Leonardo

  • That is a lot clearer now. What is the gw on 10.10.200.1 ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    unluckily that router is a CPE and it is not managed from me but from my supplier. That's the problem.

  • Hi LeonardoM,

    as PhillipppRusch said, routing to local networks behind your firewall (from the perspective of the MPLS router) has to be done on the MPLS-router - unless your firewalls IP (10.10.200.2) in that network is not the default gateway for it - what I don't think.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Hello  ,

    I will get in touch with my supplier in order to understand the current addressing and for adding a static route through 10.10.200.2/24, that is the IP of the Port4 to which the router is connected through.

    Then, I think that a firewalling rule should be enough without creating other static routes on the XGS for going from the VLAN zone to the MPLS zone and backward. Am I right?

  • Then this won't work, if the router has a different gateway than 10.10.200.2.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • You only have to create static routes for networks that your own firewall doesn't know how to reach.

    A default gateway on a WAN interface means a static route for 0.0.0.0/0 (any) to the IP address of your ISP's router/network. Which will mean your firewall will send traffic to other networks than locally known (assigned to a local interface) to that gateway. Your ISP kwows nothing about a 10.x.x.x network, since it is a non-routable, private network address.

    In cases where you have a network somehow connected over another way/router - lets say a network 10.0.0.0/24 is located behind that MPLS router (from your firewall's perspective) - then you will have to create a static route for 10.0.0.0/24 to the IP you know, in this case 10.10.200.1.

    The other side (MPLS router) only knows your firewalls IP in the network both devices share (10.10.200.0/24). The clean way is routing all traffic to your local networks to your firewalls IP in that network. If your supplier refuses to add routes another way could be, that you use NAT for the traffic that passes to the MPLS router, SNATing (masquerading) it to your firewalls IP in that network (10.10.200.2/24). But in this case I would try to find another supplier.

    A problem I see is your VLAN. You can't use the same IP range for your physical and your virtual interface.

    If the traffic reaches the firewall untagged (without a VLAN ID) just use Port6. If the traffic reaches your firewall with a VLAN TAG of 210 then only use Port6.210 and give Port6 a dummy IP address like 10.11.12.13/30.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply
  • You only have to create static routes for networks that your own firewall doesn't know how to reach.

    A default gateway on a WAN interface means a static route for 0.0.0.0/0 (any) to the IP address of your ISP's router/network. Which will mean your firewall will send traffic to other networks than locally known (assigned to a local interface) to that gateway. Your ISP kwows nothing about a 10.x.x.x network, since it is a non-routable, private network address.

    In cases where you have a network somehow connected over another way/router - lets say a network 10.0.0.0/24 is located behind that MPLS router (from your firewall's perspective) - then you will have to create a static route for 10.0.0.0/24 to the IP you know, in this case 10.10.200.1.

    The other side (MPLS router) only knows your firewalls IP in the network both devices share (10.10.200.0/24). The clean way is routing all traffic to your local networks to your firewalls IP in that network. If your supplier refuses to add routes another way could be, that you use NAT for the traffic that passes to the MPLS router, SNATing (masquerading) it to your firewalls IP in that network (10.10.200.2/24). But in this case I would try to find another supplier.

    A problem I see is your VLAN. You can't use the same IP range for your physical and your virtual interface.

    If the traffic reaches the firewall untagged (without a VLAN ID) just use Port6. If the traffic reaches your firewall with a VLAN TAG of 210 then only use Port6.210 and give Port6 a dummy IP address like 10.11.12.13/30.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Children
  • Hello Kevin,

    thank you for your really useful explanation. I will get in touch with my supplier on Monday, I am pretty sure that there will not be any problem in adding a route.

    Thank you all for your precious support!

    Best regards,

    Leonardo

  • Hello  ,

    I spoke with my supplier and they promptly created the static route through 10.10.200.2/24. Now, I can reach the MPLS router. However, I cannot reach any resource behind it as they need to announce my 10.10.210.0/24 to their devices/networks.

    Now, regarding the VLAN 210: on the UDMP, as already said, I created this VLAN and assigned it to the ports 37 to 48 of the L3 switch:

    Then, I created a VLAN interface to the Port6 of the firewall (Port6.210) and assigned a dummy IP to the Port6. However, seems like the traffic doesn't get forwarded with the VID as it does not go through the VLAN interface of the firewall. If I configure the firewall interface as a normal interface, the traffic goes through it and can reach the MPLS router. The firewall rule is configured with network objects and not with ports and, of course, the static route is configured. This is a bit odd.

    Another question is: I have a secondary site (let's say with the subnet 172.16.1.0/24) that is linked to the primary site through a VPN S2S IPsec. I would like to let the secondary site reach the MPLS router as well. This MPLS router, I did not say it before, gives access to DRaaS and BaaS resources. According to your experience, what is the best way to achieve it? Through DNAT?

  • If you want your secondary site to reach networks behind the MPLs it's nearly the same but it depends a bit on what technique is used (policy based VPN or route-based VPN with traffic-selector or any-any tunnel) and what device is on the secondary site.
    Do you have more information on that?

    Regarding your VLANs. Do you have to use VLAN tags on your end-devices to reach each-other or do you only have to connect them to the correct switchport to do so?

    If you do not have to edit the VLAN tag on the end devices your switch is using port-based VLANs, meaning your VLAN tag of 210 is directly assigned to the specific ports. Traffic that enters the switch has to be "untagged", without a VLAN tag and traffic that leaves the switch through a port is "untagged" again. In this case you do not have to use a VLAN-Interface on the firewall. Simpy connect a cable to a configured vlan-port of the switch, give the firewall the IP 10.10.210.1 on that port (6 in your overview), delete the vlan interface on the firewall and you are fine.

    A VLAN interface on the firewall is needed if you have 1 cable to a switch but you want to serve more than 1 network over that cable. In this case the physical adapter gets one network, and each VLAN adapter gets another network. On the switch that has to be devided by VLAN-tagging.There are different namings with VLAN, I don't know how Ubiquity is doing it. Some vendors call interfaces with more than 1 vlan "trunk interfaces", others use wordings like "untagged" and "tagged", others use wordings like "access", "trunk native", "trunk allowed".

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • In addition to  about the VLAN issue you are experiencing:

    If you use a VLAN interface in the firewall, then this interface needs to be connected to a switchport that has the same VLAN tagged (usually a trunk). If the switchport is an access port in the desired VLAN then you cannot use a VLAN interface in the firewall since it sends the VLAN tag.

    Same thing as kerobra already said, but explained differently.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you  and  ,

    everyhing clear. The problem is that Ubiquiti is not really clear when it comes to configuring VLANs. Since I configured the VLAN to be managed from a third-party gateway (and, for this reason, managed from the firewall VLAN interface), I could just assign the VID that, of course, is the same on the firewall VLAN interface.

    So, if I got it right, for letting it work I have to set the VLAN ID to the vSwitch, in vSphere, that is managing the VLAN network object and the VMs assigned to it for working with tags. Actually I am working with a simple access port as I did not set the VID on the vSwitch level.

    Regarding  's question, I set a policy based VPN with any to any tunnel.

  • Your vSphere is an example, where you normally have 1 (or more) physical uplinks connected to the physical switch and where the switch has to be configured as a trunk with more than 1 VLAN IDs. But I don't understand how it is involved here.

    "Third party gateway" on your ubiquity switch says who is responsible for the routing between the different subnets/vlans. A layer 3 switch can do that on it's own, but normally you want that to be done by a firewall because otherwise you will have to create accesslists on the switch which control, which connections are allowed. That doesn't mean the firewall controls anythin IN that subnet, it only controls the "exit" and "entrance" to that subnet in form of a firewall ruleset.


    Regarding the VPN, please share a screenshot of your S2S tunnel. "Any" to "Any" is only possible if it is a tunnel interface, which would be route-based VPN.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • I use Ubiquiti Unifi access points and have a controller in my environment. I think this is what you mean with "managed from third-party gateway"

    The VLAN-id's here have to be tagged on the switchport where I connect my access points. The access point itself uses the so-called native vlan which in my case is my management VLAN. 
    See this page for a small explanation on how to create a trunk port ((tagged vlans) port 1 in the example) and how to create an access port ((untagged vlan) port 2 in the example)

    I think 


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello  ,

    for configuring the VLAN on "end-devices", do you mean directly on the Network Interfaces of each device?

    Anyway, here you are the screenshot of the S2S:

    Thank you!

  • OK, policy based and no "any-any" tunnel :-)

    Regarding your S2S you must add the network(s) behind the MPLS router as "remote subnet(s)" on your BO firewall so that the firewall on this end knows, which destination networks can be reached through the tunnel.

    On the HQ firewall this network then has to be a "local subnet" to make the S2S tunnel work from IPsec SA view. You will have to take care for HQ firewall rules to add the correct zones to the networks, depends on what zone your MPLS router is in (for example if that is resided on a DMZ zone the firewall rule for the S2S tunnel has to include LAN and DMZ to make it work) as destination zones.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner