Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 6614 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set up VLAN to connect two separate networks

Chevyavalanche

Hello,

My main network is 172.16.x.x and I have a VPN network using 192.168.x.x. The two networks don't 'talk' to one another but I would like to change that through the use of a VLAN.

First off, is that even possible to where I can access either network from the same PC? For example, I'm logged into my 172.16 network through my main router through ethernet connection. I cannot access my VPN 192.168 network unless I connect to it wirelessly (I have a VPN router with DHCP turned on that manages this network). This VPN router does connect to my main router that accesses internet. The LAN of main router connects to the WAN of VPN router.

So I'm using Sophos Firewall that protects my main network (172.16) but the VPN 192.168 network bypasses the firewall as it connects directly to main router. My main router connects to Sophos FW and then Sophos FW connects to a Cisco L2 switch to which everything else is connected.

Since L2 switch and main router can't do what I want concerning VLAN (I think I need a L3 switch to set up VLAN), maybe the Sophos FW can. So my theory is that if I connect my VPN router to a port on Sophos FW that is using VLAN, I should be able to connect to this network from any PC on main network. So essentially, my main PC with IP address of 172.16.x.x talks directly to another device on VPN network that has a 192.168.x.x IP address.

Is this even possible? I purposely set up the each network with the different IP ranges to avoid confusion between the two.

If possible to do this, would need to know specifically how to set up VLAN, Firewall rules and any NAT config to make this work.

Thanks for any help provided.



This thread was automatically locked due to age.
  • 0 in reply to Adam Dodge

    Happy Holidays to you Adam,

    So followed your lead and here's what I see:

    So the first thing that comes to mind is that I'm not using a Sophos branded device and could that be the reason this shows up as 'no such device exists'? This has happened before on another issue I had.

    If that is not the case (and I hope it's not), my VPN is connected to port 1 on my VP2410...there's no question on that. Would it be wise to reboot the VP2410 and bring up from scratch as I did swap VPN ethernet to VP2410 port 1 from Main router lan port.

    Other suggestions?

  • 0 in reply to Chevyavalanche

    Ohh, it seems that you overlooked the Port1 here since the command is case-sensitive. The command should be tcpdump -veni Port1 host 192.168.X.X

    It also looked like the interface was receiving packets. We need to see if it is able to receive packets from 192.168.X.X

    Also, kindly make sure that the firewall rule[LAN to LAN] that we created is at the top. This is to make sure that it’ll be the rule that will be used

  • 0 in reply to Adam Dodge

    ok, so yes syntax was my problem and was then able to listen to Port 1. However we didn't make a FW rule as you mentioned above but I went ahead and created one and put at top position. Basically the rule allows LAN access to the 192.168.x.x address. Don't know if I need a Nat rule to go along with this.

    I can ping 192.168.x.x but still can't access that VPN router. Every time I tried to view the log, it wanted me to log in to SFW again so I used WireShark and I can see data going to 192.168 but not being able to come back. I get the ERR_CONNECTION_TIMED_OUT error when trying to access the web interface.

    Not entirely sure what to try next....

  • 0 in reply to Chevyavalanche

    If data is not coming back it might indicate a routing issue in the other side. Does the other side have a route defined for the subnet you are trying to connect from?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hi apijnappels, 

    I'm not sure what you are asking. The VPN network (192.168.x.x) is just a netgear router running VPN software with an AP and a few devices connected. Want to make this network accessible on my main 172.16.x.x network. Not sure how to define the route within the VPN s/w...or maybe I'm missing point entirely.

  • 0 in reply to Chevyavalanche

    To have a checkpoint on our setup, can you confirm the connections on this:

    1. From 192.168.X.1 can you ping 192.168.X.2?
    2. From 192.168.X.1 can you ping 192.168.X.3?
    3. From 192.168.X.2 can you ping 192.168.X.1?
    4. From 192.168.X.2 can you ping 192.168.X.3?
    5. From 192.168.X.3 can you ping 192.168.X.1?
    6. From 192.168.X.3 can you ping 192.168.X.2?
    7. From any device on 172.16.X.X can you ping 192.168.X.1?
    8. From any device on 172.16.X.X can you ping 192.168.X.2?

    Looking forward to hearing from you Slight smile

  • 0 in reply to Chevyavalanche

    Looking at the picture from  Either in the VPN-gateway (Netgear router) you should make a static route for the 172.16.x.x network with the outside address of the Sophos gateway (123.123.123.2 in the picture). Or even better you could make the static route in the main router. In the picture main router has 123.123.123.1 and 192.168.x.1. I assume main router also has connection to internet.

    If the netgear router does not know how to reach your 172.16.x.x network then it will send replies to the default gateway which will be your main router. If your main router does not know how to reach 172.16.x.x network it will send it out to it's default gateway (or discard it since 172.16.x.x addresses are not routable on the internet).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I created a route on main router (main router has IP of 172.16.x.x). Netgear VPN router is 192.168.x.x. Main router is my connection to the internet.

    The route has VPN router as 'Host IP' and the gateway is from main router. Metric is set to 1.

    I can't connect to VPN router but can ping it. Everything behind VPN router cannot be pinged (unreachable).

    Also did a route print on PC and there's no 192.168.x.x showing up.

  • 0 in reply to Chevyavalanche

    Does your main router have a route to 192.168.x.x with the gateway of the VPN-router's IP-address in the 172.16.x.x range?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Yes it does. See snapshot below.

    Just by connecting Main router LAN to VPN router WAN, the VPN network works just fine....trouble is, I just can't directly connect to it from Ethernet LAN 172.16.x.x network. The only way I can access is by using PC WiFi and connecting to VPN router 192.168.x.x network.

    ++++++++++++++++++++++

    172.16-->Ethernet LAN (main router)-->PC

    192.168-->WiFi (VPN router)-->PC

    Currently my only way to access both networks with same PC.

    ++++++++++++++++++++++

Unfiltered HTML