Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 41 subscribers
  • Views 5865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1 ISP WAN, 18 ISP LAN addresses - how to I setup a port for an edge router to go out ISP LAN IP

avett1058

We have 1 WAN IP from our ISP

18 LAN IPs from the ISP

Current setup is one CAT6 from ISP to Sophos Firewall. Firewall has the 1 WAN IP interface setup for internet

We need a port enabled for on the firewall for a Vendor router to use one of the LAN IPs from the ISP.

We want all of this traffic separate from our network.

What is the best way to go about this?

Thank you in advance!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Erick Jan

    Thanks for the response Eric! Do you know if using the ISP LAN block provides any additional benefits? Or is it similar to creating a new VLAN or subnet on the firewall? 

  • 0 in reply to avett1058

    Hi avett1058,

    ISP Lan block? This isn’t advisable.

    I recommend creating a new VLAN network different from your local network and then creating a new firewall rule to allow access to the internet or any other allowed network resources.

    Creating a new VLAN will separate the network, set it up as DMZ as a zone for additional segregation, and finally, the Firewall Rule to block traffic between.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to Erick Jan

    Hi   what you are trying to do is a transparent subnet gateway. The XG can do it, but it's not as clean as other vendors do it. Here is the link. https://support.sophos.com/support/s/article/KB-000035920?language=en_US

    Option 2, and the easiest solution, would be to put a small switch in between your ISP handoff and your Sophos Firewall. You can then let your vendor plug into the small switch as well and use a public IP (LAN IP) from your ISP block they have assigned you.

    In either case of using transparent subnets or using a small switch, the traffic would be separated. 

    Also, ISP's call them LAN IP's, but they are WAN IP's 99% of the time. They just refer to them as LAN because they are typically assigned to the LAN interface of the CPE device they install. They are LAN in the big picture to them, but are WAN to you since that would be your public IP block, unless they use CGNAT, which is another topic.

    Let me know if you need anymore help.

    Thanks,

    Michael

  • +1 in reply to MichaelBolton

    I would go with option 2 as well. Cleanest setup. No specials in the firewall needed.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to MichaelBolton

    Hi Michael. Really appreciate the reply!! Solves the questions I had.

    Thanks,

    Austin 

Unfiltered HTML