Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 6605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up VLAN to connect two separate networks

Chevyavalanche

Hello,

My main network is 172.16.x.x and I have a VPN network using 192.168.x.x. The two networks don't 'talk' to one another but I would like to change that through the use of a VLAN.

First off, is that even possible to where I can access either network from the same PC? For example, I'm logged into my 172.16 network through my main router through ethernet connection. I cannot access my VPN 192.168 network unless I connect to it wirelessly (I have a VPN router with DHCP turned on that manages this network). This VPN router does connect to my main router that accesses internet. The LAN of main router connects to the WAN of VPN router.

So I'm using Sophos Firewall that protects my main network (172.16) but the VPN 192.168 network bypasses the firewall as it connects directly to main router. My main router connects to Sophos FW and then Sophos FW connects to a Cisco L2 switch to which everything else is connected.

Since L2 switch and main router can't do what I want concerning VLAN (I think I need a L3 switch to set up VLAN), maybe the Sophos FW can. So my theory is that if I connect my VPN router to a port on Sophos FW that is using VLAN, I should be able to connect to this network from any PC on main network. So essentially, my main PC with IP address of 172.16.x.x talks directly to another device on VPN network that has a 192.168.x.x IP address.

Is this even possible? I purposely set up the each network with the different IP ranges to avoid confusion between the two.

If possible to do this, would need to know specifically how to set up VLAN, Firewall rules and any NAT config to make this work.

Thanks for any help provided.



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thanks for reaching out to Sophos Community. 

    Could you share a network diagram of the setup you're trying to achieve?  

    Is there any specific reason why you have to retain the VPN router? Could you onboard the ISP link where the VPN users connect to Sophos Firewall instead? 

    This way you’ll manage the connectivity of LAN users and VPN on Sophos Firewall, which I believe is a more straightforward approach for your setup.

    Looking forward to hearing from you. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    I use VPN router (running VPN s/w) to do 'secure' work and is a requirement. It was recommended to connect VPN router directly to main router instead of L2 switch.

    Everything works fine and has been for years. I just now want to be able to access both networks from any PC on either network.

  • 0 in reply to Chevyavalanche

    If data is not coming back it might indicate a routing issue in the other side. Does the other side have a route defined for the subnet you are trying to connect from?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hi apijnappels, 

    I'm not sure what you are asking. The VPN network (192.168.x.x) is just a netgear router running VPN software with an AP and a few devices connected. Want to make this network accessible on my main 172.16.x.x network. Not sure how to define the route within the VPN s/w...or maybe I'm missing point entirely.

  • 0 in reply to Chevyavalanche

    To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

  • 0 in reply to Chevyavalanche

    Looking at the picture from  Either in the VPN-gateway (Netgear router) you should make a static route for the 172.16.x.x network with the outside address of the Sophos gateway (123.123.123.2 in the picture). Or even better you could make the static route in the main router. In the picture main router has 123.123.123.1 and 192.168.x.1. I assume main router also has connection to internet.

    If the netgear router does not know how to reach your 172.16.x.x network then it will send replies to the default gateway which will be your main router. If your main router does not know how to reach 172.16.x.x network it will send it out to it's default gateway (or discard it since 172.16.x.x addresses are not routable on the internet).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I created a route on main router (main router has IP of 172.16.x.x). Netgear VPN router is 192.168.x.x. Main router is my connection to the internet.

    The route has VPN router as 'Host IP' and the gateway is from main router. Metric is set to 1.

    I can't connect to VPN router but can ping it. Everything behind VPN router cannot be pinged (unreachable).

    Also did a route print on PC and there's no 192.168.x.x showing up.

  • 0 in reply to Chevyavalanche

    Does your main router have a route to 192.168.x.x with the gateway of the VPN-router's IP-address in the 172.16.x.x range?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Yes it does. See snapshot below.

    Just by connecting Main router LAN to VPN router WAN, the VPN network works just fine....trouble is, I just can't directly connect to it from Ethernet LAN 172.16.x.x network. The only way I can access is by using PC WiFi and connecting to VPN router 192.168.x.x network.

    ++++++++++++++++++++++

    172.16-->Ethernet LAN (main router)-->PC

    192.168-->WiFi (VPN router)-->PC

    Currently my only way to access both networks with same PC.

    ++++++++++++++++++++++

  • 0 in reply to Chevyavalanche

    The WAN of the VPN router (192.168.x.x LAN) can't be pinged or should I say when I do ping it, I get no response. It has the address of 172.16.x.x, in the same LAN as main router....so could this be issue?

  • 0 in reply to Chevyavalanche

    For me this is just a simple IP routing between normal networks connected through (several) routers. Why should I use VLAN or NAT here?

    You always need a proper network layout diagram and then plan your routing accordingly. Think about each gateway and each transfer net, then define your routes. IP routing is quite simple!

    If there is a transfernet in between, define the right gateway to reach "the other side"! And never forget to define the "way back" at the other side, there is no "one way IP", you always have to know the way home again!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    I agree Phillip. Sometimes it doesn't work out that way however.

Reply Children
No Data
Unfiltered HTML