Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up VLAN to connect two separate networks

Hello,

My main network is 172.16.x.x and I have a VPN network using 192.168.x.x. The two networks don't 'talk' to one another but I would like to change that through the use of a VLAN.

First off, is that even possible to where I can access either network from the same PC? For example, I'm logged into my 172.16 network through my main router through ethernet connection. I cannot access my VPN 192.168 network unless I connect to it wirelessly (I have a VPN router with DHCP turned on that manages this network). This VPN router does connect to my main router that accesses internet. The LAN of main router connects to the WAN of VPN router.

So I'm using Sophos Firewall that protects my main network (172.16) but the VPN 192.168 network bypasses the firewall as it connects directly to main router. My main router connects to Sophos FW and then Sophos FW connects to a Cisco L2 switch to which everything else is connected.

Since L2 switch and main router can't do what I want concerning VLAN (I think I need a L3 switch to set up VLAN), maybe the Sophos FW can. So my theory is that if I connect my VPN router to a port on Sophos FW that is using VLAN, I should be able to connect to this network from any PC on main network. So essentially, my main PC with IP address of 172.16.x.x talks directly to another device on VPN network that has a 192.168.x.x IP address.

Is this even possible? I purposely set up the each network with the different IP ranges to avoid confusion between the two.

If possible to do this, would need to know specifically how to set up VLAN, Firewall rules and any NAT config to make this work.

Thanks for any help provided.



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    Could you share a network diagram of the setup you're trying to achieve?  

    Is there any specific reason why you have to retain the VPN router? Could you onboard the ISP link where the VPN users connect to Sophos Firewall instead? 

    This way you’ll manage the connectivity of LAN users and VPN on Sophos Firewall, which I believe is a more straightforward approach for your setup.

    Looking forward to hearing from you. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I use VPN router (running VPN s/w) to do 'secure' work and is a requirement. It was recommended to connect VPN router directly to main router instead of L2 switch.

    Everything works fine and has been for years. I just now want to be able to access both networks from any PC on either network.

  • Hi  ,

    This seems like a layer 2 issue.

    Let me know if my understanding of the network is correct

    If this is correct, then the users behind these networks (172.16.x.x and 192.168.x.x) will only respond to the same network/subnet since they’re connected to an L2 switch.

    To provide communication for these 2 subnets we’ll need to configure SNAT, here is the idea: Whenever the firewall receives a packet with source or destination from either 172.16.x.x or 192.168.x.x it will changes its source IP to whichever interface it will go out to.

    So make sure the firewall has an interface that has 172.16.x.x and 192.168.x.x


    Let us know if this works on your setup

    Looking forward to hearing from you. Have a nice day and thank you for choosing Sophos.

    Regards,

  • Hi Adam,

    The WAN of VPN router is connected to a LAN port on Main router...not Cisco L2 switch. That switch is only used on 172.16.x.x network. You are correct with 192.168 going through VPN router and 172.16 going through Main router. In any case, your assessment of the situation is correct.

    The Firewall rule shown above...does it allow internet access for 192.168.x.x? I ask as both source and destination are set to LAN. In my current setup, VPN router accesses internet through main router.

    So no need then to even set up a VLAN? Just looking for easiest solution that works. Thank you for your help.

  • Hi ,

    Thats great.

    As for the firewall rule shown above, It does not allow internet access since this rule is only specific for traffic between 172.16.x.x and 192.168.x.x

    No need to set up a VLAN since we will be using NAT to make it work. The only thing you will need is to make sure that the firewall has an interface for both networks. Here is an example.

    The Port connected to the Main router should be configured to have a IP address of 192.168.x.1, (If the port connected to the Main Router is configured differently, you can add an alias interface for this: Add an alias - Sophos Firewall ) Then make sure that the Port connected to the Cisco L2 Switch is also configured with an IP within the network, for example, 172.16.x.1. This is important since this is the IP that the firewall will use to NAT the source address.

    Let us know if this works. Looking forward to hearing from you.

  • Hi Adam,

    Sophos FW is running on a Protectli VP2410 mini PC. Sophos FW is also 'bridged' to my main router and has it's own IP address in the 172.16.x.x range (set on the VP2410).

    Port 2 on VP2410 is Sophos's WAN port and is the port connected to Main router LAN port. I don't think I can change this port to 192.168 as that will break everything...or am I misunderstanding what you are saying?

  • Ohh got it  ,

    I think this is how I understood your setup, take note that the IP 123.123.123.1 is just a hypothetical IP that I assume is on your network. As long as the firewall receives packets from 192.168.x.x network this setup will work. As for configuring an Add an alias - Sophos Firewall on the Firewall, I would suggest trying to configure this during a downtime schedule since this is a Virtual firewall.

    Let me also share with you a way to know if you’re receiving packets from 192.168.x.x using tcpdump. Firstly access the firewall's Advance shell

    Then input this command: {} -> this is a placeholder for your setup

    tcpdump -veni {Port of WAN} and host {source IP of 192.168.x.x}

    Example: then generate a traffic from 192.168.1.1 to 172.16.x.x

    tcpdump -veni Port2 and host 192.168.1.1

  • You are spot on Adam. So by adding an alias or virtual FW, I still have to connect VPN router to an open port on Sophos (VP2410) and if yes, is there anything special that needs to be done to this port (it's already set to LAN)? Is your alias FW tied to the bridge that I've set up previously?

    I can give it a shot but just afraid that if something doesn't work, I lose connection to FW or something crazy like that. I know some things but by no means an expert at this.

  • I gave this a shot. I added the alias and can ping IP 192.168.x.x. I tried the commands in SSH but kept getting 'no such device' when entering the port of WAN or the physical IP of VP2410. I also tried the main router address and it came back as 'no such device'. I tried to access my VPN router site and I get this: ERR_CONNECTION_TIMED_OUT. Not sure if I need to add a FW rule or something else to make this work but I feel I'm getting close to a solution.

Reply
  • I gave this a shot. I added the alias and can ping IP 192.168.x.x. I tried the commands in SSH but kept getting 'no such device' when entering the port of WAN or the physical IP of VP2410. I also tried the main router address and it came back as 'no such device'. I tried to access my VPN router site and I get this: ERR_CONNECTION_TIMED_OUT. Not sure if I need to add a FW rule or something else to make this work but I feel I'm getting close to a solution.

Children
  • Happy holidays  ,

    We’re getting close to finding the solution only a few more steps to go Slight smile

    For the SSH command getting "no such device", You can try this steps:

    1. Check the information of the interfaces using the command: ifconfig | more
    2. Then input the command: tcpdump -veni Port1 host 192.168.X.X (Take note that the Port will be different on your setup)

    While tcpdump is enabled, generate traffic from your VPN gateway to the interface of the Sophos firewall; if the ping fails, kindly check if the ping is enabled in SYSTEM>Administration>Device Access

    If the VPN gateway can reach the Sophos firewall interface, then this should now be working. If not, we might need to tweak the firewall rules a bit.

    Let us know if this works. Looking forward to hearing from you.

  • Happy Holidays to you Adam,

    So followed your lead and here's what I see:

    So the first thing that comes to mind is that I'm not using a Sophos branded device and could that be the reason this shows up as 'no such device exists'? This has happened before on another issue I had.

    If that is not the case (and I hope it's not), my VPN is connected to port 1 on my VP2410...there's no question on that. Would it be wise to reboot the VP2410 and bring up from scratch as I did swap VPN ethernet to VP2410 port 1 from Main router lan port.

    Other suggestions?

  • Ohh, it seems that you overlooked the Port1 here since the command is case-sensitive. The command should be tcpdump -veni Port1 host 192.168.X.X

    It also looked like the interface was receiving packets. We need to see if it is able to receive packets from 192.168.X.X

    Also, kindly make sure that the firewall rule[LAN to LAN] that we created is at the top. This is to make sure that it’ll be the rule that will be used

  • ok, so yes syntax was my problem and was then able to listen to Port 1. However we didn't make a FW rule as you mentioned above but I went ahead and created one and put at top position. Basically the rule allows LAN access to the 192.168.x.x address. Don't know if I need a Nat rule to go along with this.

    I can ping 192.168.x.x but still can't access that VPN router. Every time I tried to view the log, it wanted me to log in to SFW again so I used WireShark and I can see data going to 192.168 but not being able to come back. I get the ERR_CONNECTION_TIMED_OUT error when trying to access the web interface.

    Not entirely sure what to try next....

  • If data is not coming back it might indicate a routing issue in the other side. Does the other side have a route defined for the subnet you are trying to connect from?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi apijnappels, 

    I'm not sure what you are asking. The VPN network (192.168.x.x) is just a netgear router running VPN software with an AP and a few devices connected. Want to make this network accessible on my main 172.16.x.x network. Not sure how to define the route within the VPN s/w...or maybe I'm missing point entirely.

  • To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

  • Looking at the picture from  Either in the VPN-gateway (Netgear router) you should make a static route for the 172.16.x.x network with the outside address of the Sophos gateway (123.123.123.2 in the picture). Or even better you could make the static route in the main router. In the picture main router has 123.123.123.1 and 192.168.x.1. I assume main router also has connection to internet.

    If the netgear router does not know how to reach your 172.16.x.x network then it will send replies to the default gateway which will be your main router. If your main router does not know how to reach 172.16.x.x network it will send it out to it's default gateway (or discard it since 172.16.x.x addresses are not routable on the internet).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I created a route on main router (main router has IP of 172.16.x.x). Netgear VPN router is 192.168.x.x. Main router is my connection to the internet.

    The route has VPN router as 'Host IP' and the gateway is from main router. Metric is set to 1.

    I can't connect to VPN router but can ping it. Everything behind VPN router cannot be pinged (unreachable).

    Also did a route print on PC and there's no 192.168.x.x showing up.

  • Does your main router have a route to 192.168.x.x with the gateway of the VPN-router's IP-address in the 172.16.x.x range?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.