Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up VLAN to connect two separate networks

Hello,

My main network is 172.16.x.x and I have a VPN network using 192.168.x.x. The two networks don't 'talk' to one another but I would like to change that through the use of a VLAN.

First off, is that even possible to where I can access either network from the same PC? For example, I'm logged into my 172.16 network through my main router through ethernet connection. I cannot access my VPN 192.168 network unless I connect to it wirelessly (I have a VPN router with DHCP turned on that manages this network). This VPN router does connect to my main router that accesses internet. The LAN of main router connects to the WAN of VPN router.

So I'm using Sophos Firewall that protects my main network (172.16) but the VPN 192.168 network bypasses the firewall as it connects directly to main router. My main router connects to Sophos FW and then Sophos FW connects to a Cisco L2 switch to which everything else is connected.

Since L2 switch and main router can't do what I want concerning VLAN (I think I need a L3 switch to set up VLAN), maybe the Sophos FW can. So my theory is that if I connect my VPN router to a port on Sophos FW that is using VLAN, I should be able to connect to this network from any PC on main network. So essentially, my main PC with IP address of 172.16.x.x talks directly to another device on VPN network that has a 192.168.x.x IP address.

Is this even possible? I purposely set up the each network with the different IP ranges to avoid confusion between the two.

If possible to do this, would need to know specifically how to set up VLAN, Firewall rules and any NAT config to make this work.

Thanks for any help provided.



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    Could you share a network diagram of the setup you're trying to achieve?  

    Is there any specific reason why you have to retain the VPN router? Could you onboard the ISP link where the VPN users connect to Sophos Firewall instead? 

    This way you’ll manage the connectivity of LAN users and VPN on Sophos Firewall, which I believe is a more straightforward approach for your setup.

    Looking forward to hearing from you. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I use VPN router (running VPN s/w) to do 'secure' work and is a requirement. It was recommended to connect VPN router directly to main router instead of L2 switch.

    Everything works fine and has been for years. I just now want to be able to access both networks from any PC on either network.

  • You are spot on Adam. So by adding an alias or virtual FW, I still have to connect VPN router to an open port on Sophos (VP2410) and if yes, is there anything special that needs to be done to this port (it's already set to LAN)? Is your alias FW tied to the bridge that I've set up previously?

    I can give it a shot but just afraid that if something doesn't work, I lose connection to FW or something crazy like that. I know some things but by no means an expert at this.

  • I gave this a shot. I added the alias and can ping IP 192.168.x.x. I tried the commands in SSH but kept getting 'no such device' when entering the port of WAN or the physical IP of VP2410. I also tried the main router address and it came back as 'no such device'. I tried to access my VPN router site and I get this: ERR_CONNECTION_TIMED_OUT. Not sure if I need to add a FW rule or something else to make this work but I feel I'm getting close to a solution.

  • Happy holidays  ,

    We’re getting close to finding the solution only a few more steps to go Slight smile

    For the SSH command getting "no such device", You can try this steps:

    1. Check the information of the interfaces using the command: ifconfig | more
    2. Then input the command: tcpdump -veni Port1 host 192.168.X.X (Take note that the Port will be different on your setup)

    While tcpdump is enabled, generate traffic from your VPN gateway to the interface of the Sophos firewall; if the ping fails, kindly check if the ping is enabled in SYSTEM>Administration>Device Access

    If the VPN gateway can reach the Sophos firewall interface, then this should now be working. If not, we might need to tweak the firewall rules a bit.

    Let us know if this works. Looking forward to hearing from you.

  • Happy Holidays to you Adam,

    So followed your lead and here's what I see:

    So the first thing that comes to mind is that I'm not using a Sophos branded device and could that be the reason this shows up as 'no such device exists'? This has happened before on another issue I had.

    If that is not the case (and I hope it's not), my VPN is connected to port 1 on my VP2410...there's no question on that. Would it be wise to reboot the VP2410 and bring up from scratch as I did swap VPN ethernet to VP2410 port 1 from Main router lan port.

    Other suggestions?

  • Ohh, it seems that you overlooked the Port1 here since the command is case-sensitive. The command should be tcpdump -veni Port1 host 192.168.X.X

    It also looked like the interface was receiving packets. We need to see if it is able to receive packets from 192.168.X.X

    Also, kindly make sure that the firewall rule[LAN to LAN] that we created is at the top. This is to make sure that it’ll be the rule that will be used

  • ok, so yes syntax was my problem and was then able to listen to Port 1. However we didn't make a FW rule as you mentioned above but I went ahead and created one and put at top position. Basically the rule allows LAN access to the 192.168.x.x address. Don't know if I need a Nat rule to go along with this.

    I can ping 192.168.x.x but still can't access that VPN router. Every time I tried to view the log, it wanted me to log in to SFW again so I used WireShark and I can see data going to 192.168 but not being able to come back. I get the ERR_CONNECTION_TIMED_OUT error when trying to access the web interface.

    Not entirely sure what to try next....

  • If data is not coming back it might indicate a routing issue in the other side. Does the other side have a route defined for the subnet you are trying to connect from?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi apijnappels, 

    I'm not sure what you are asking. The VPN network (192.168.x.x) is just a netgear router running VPN software with an AP and a few devices connected. Want to make this network accessible on my main 172.16.x.x network. Not sure how to define the route within the VPN s/w...or maybe I'm missing point entirely.

  • To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

  • Looking at the picture from  Either in the VPN-gateway (Netgear router) you should make a static route for the 172.16.x.x network with the outside address of the Sophos gateway (123.123.123.2 in the picture). Or even better you could make the static route in the main router. In the picture main router has 123.123.123.1 and 192.168.x.1. I assume main router also has connection to internet.

    If the netgear router does not know how to reach your 172.16.x.x network then it will send replies to the default gateway which will be your main router. If your main router does not know how to reach 172.16.x.x network it will send it out to it's default gateway (or discard it since 172.16.x.x addresses are not routable on the internet).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Looking at the picture from  Either in the VPN-gateway (Netgear router) you should make a static route for the 172.16.x.x network with the outside address of the Sophos gateway (123.123.123.2 in the picture). Or even better you could make the static route in the main router. In the picture main router has 123.123.123.1 and 192.168.x.1. I assume main router also has connection to internet.

    If the netgear router does not know how to reach your 172.16.x.x network then it will send replies to the default gateway which will be your main router. If your main router does not know how to reach 172.16.x.x network it will send it out to it's default gateway (or discard it since 172.16.x.x addresses are not routable on the internet).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • I created a route on main router (main router has IP of 172.16.x.x). Netgear VPN router is 192.168.x.x. Main router is my connection to the internet.

    The route has VPN router as 'Host IP' and the gateway is from main router. Metric is set to 1.

    I can't connect to VPN router but can ping it. Everything behind VPN router cannot be pinged (unreachable).

    Also did a route print on PC and there's no 192.168.x.x showing up.

  • Does your main router have a route to 192.168.x.x with the gateway of the VPN-router's IP-address in the 172.16.x.x range?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yes it does. See snapshot below.

    Just by connecting Main router LAN to VPN router WAN, the VPN network works just fine....trouble is, I just can't directly connect to it from Ethernet LAN 172.16.x.x network. The only way I can access is by using PC WiFi and connecting to VPN router 192.168.x.x network.

    ++++++++++++++++++++++

    172.16-->Ethernet LAN (main router)-->PC

    192.168-->WiFi (VPN router)-->PC

    Currently my only way to access both networks with same PC.

    ++++++++++++++++++++++

  • The WAN of the VPN router (192.168.x.x LAN) can't be pinged or should I say when I do ping it, I get no response. It has the address of 172.16.x.x, in the same LAN as main router....so could this be issue?

  • For me this is just a simple IP routing between normal networks connected through (several) routers. Why should I use VLAN or NAT here?

    You always need a proper network layout diagram and then plan your routing accordingly. Think about each gateway and each transfer net, then define your routes. IP routing is quite simple!

    If there is a transfernet in between, define the right gateway to reach "the other side"! And never forget to define the "way back" at the other side, there is no "one way IP", you always have to know the way home again!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I agree Phillip. Sometimes it doesn't work out that way however.