Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up VLAN to connect two separate networks

Hello,

My main network is 172.16.x.x and I have a VPN network using 192.168.x.x. The two networks don't 'talk' to one another but I would like to change that through the use of a VLAN.

First off, is that even possible to where I can access either network from the same PC? For example, I'm logged into my 172.16 network through my main router through ethernet connection. I cannot access my VPN 192.168 network unless I connect to it wirelessly (I have a VPN router with DHCP turned on that manages this network). This VPN router does connect to my main router that accesses internet. The LAN of main router connects to the WAN of VPN router.

So I'm using Sophos Firewall that protects my main network (172.16) but the VPN 192.168 network bypasses the firewall as it connects directly to main router. My main router connects to Sophos FW and then Sophos FW connects to a Cisco L2 switch to which everything else is connected.

Since L2 switch and main router can't do what I want concerning VLAN (I think I need a L3 switch to set up VLAN), maybe the Sophos FW can. So my theory is that if I connect my VPN router to a port on Sophos FW that is using VLAN, I should be able to connect to this network from any PC on main network. So essentially, my main PC with IP address of 172.16.x.x talks directly to another device on VPN network that has a 192.168.x.x IP address.

Is this even possible? I purposely set up the each network with the different IP ranges to avoid confusion between the two.

If possible to do this, would need to know specifically how to set up VLAN, Firewall rules and any NAT config to make this work.

Thanks for any help provided.



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    Could you share a network diagram of the setup you're trying to achieve?  

    Is there any specific reason why you have to retain the VPN router? Could you onboard the ISP link where the VPN users connect to Sophos Firewall instead? 

    This way you’ll manage the connectivity of LAN users and VPN on Sophos Firewall, which I believe is a more straightforward approach for your setup.

    Looking forward to hearing from you. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I use VPN router (running VPN s/w) to do 'secure' work and is a requirement. It was recommended to connect VPN router directly to main router instead of L2 switch.

    Everything works fine and has been for years. I just now want to be able to access both networks from any PC on either network.

  • Ohh got it  ,

    I think this is how I understood your setup, take note that the IP 123.123.123.1 is just a hypothetical IP that I assume is on your network. As long as the firewall receives packets from 192.168.x.x network this setup will work. As for configuring an Add an alias - Sophos Firewall on the Firewall, I would suggest trying to configure this during a downtime schedule since this is a Virtual firewall.

    Let me also share with you a way to know if you’re receiving packets from 192.168.x.x using tcpdump. Firstly access the firewall's Advance shell

    Then input this command: {} -> this is a placeholder for your setup

    tcpdump -veni {Port of WAN} and host {source IP of 192.168.x.x}

    Example: then generate a traffic from 192.168.1.1 to 172.16.x.x

    tcpdump -veni Port2 and host 192.168.1.1

  • You are spot on Adam. So by adding an alias or virtual FW, I still have to connect VPN router to an open port on Sophos (VP2410) and if yes, is there anything special that needs to be done to this port (it's already set to LAN)? Is your alias FW tied to the bridge that I've set up previously?

    I can give it a shot but just afraid that if something doesn't work, I lose connection to FW or something crazy like that. I know some things but by no means an expert at this.

  • I gave this a shot. I added the alias and can ping IP 192.168.x.x. I tried the commands in SSH but kept getting 'no such device' when entering the port of WAN or the physical IP of VP2410. I also tried the main router address and it came back as 'no such device'. I tried to access my VPN router site and I get this: ERR_CONNECTION_TIMED_OUT. Not sure if I need to add a FW rule or something else to make this work but I feel I'm getting close to a solution.

  • Happy holidays  ,

    We’re getting close to finding the solution only a few more steps to go Slight smile

    For the SSH command getting "no such device", You can try this steps:

    1. Check the information of the interfaces using the command: ifconfig | more
    2. Then input the command: tcpdump -veni Port1 host 192.168.X.X (Take note that the Port will be different on your setup)

    While tcpdump is enabled, generate traffic from your VPN gateway to the interface of the Sophos firewall; if the ping fails, kindly check if the ping is enabled in SYSTEM>Administration>Device Access

    If the VPN gateway can reach the Sophos firewall interface, then this should now be working. If not, we might need to tweak the firewall rules a bit.

    Let us know if this works. Looking forward to hearing from you.

  • Happy Holidays to you Adam,

    So followed your lead and here's what I see:

    So the first thing that comes to mind is that I'm not using a Sophos branded device and could that be the reason this shows up as 'no such device exists'? This has happened before on another issue I had.

    If that is not the case (and I hope it's not), my VPN is connected to port 1 on my VP2410...there's no question on that. Would it be wise to reboot the VP2410 and bring up from scratch as I did swap VPN ethernet to VP2410 port 1 from Main router lan port.

    Other suggestions?

  • Ohh, it seems that you overlooked the Port1 here since the command is case-sensitive. The command should be tcpdump -veni Port1 host 192.168.X.X

    It also looked like the interface was receiving packets. We need to see if it is able to receive packets from 192.168.X.X

    Also, kindly make sure that the firewall rule[LAN to LAN] that we created is at the top. This is to make sure that it’ll be the rule that will be used

  • ok, so yes syntax was my problem and was then able to listen to Port 1. However we didn't make a FW rule as you mentioned above but I went ahead and created one and put at top position. Basically the rule allows LAN access to the 192.168.x.x address. Don't know if I need a Nat rule to go along with this.

    I can ping 192.168.x.x but still can't access that VPN router. Every time I tried to view the log, it wanted me to log in to SFW again so I used WireShark and I can see data going to 192.168 but not being able to come back. I get the ERR_CONNECTION_TIMED_OUT error when trying to access the web interface.

    Not entirely sure what to try next....

  • If data is not coming back it might indicate a routing issue in the other side. Does the other side have a route defined for the subnet you are trying to connect from?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi apijnappels, 

    I'm not sure what you are asking. The VPN network (192.168.x.x) is just a netgear router running VPN software with an AP and a few devices connected. Want to make this network accessible on my main 172.16.x.x network. Not sure how to define the route within the VPN s/w...or maybe I'm missing point entirely.

  • To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

Reply
  • To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

Children
No Data