1 ISP WAN, 18 ISP LAN addresses - how to I setup a port for an edge router to go out ISP LAN IP

Hi avett1058,

Thank you for reaching out to Sophos Community.

Kindly configure a new VLAN and set it up on a separate port for the Vendor. I would also suggest setting the zone to DMZ and creating a firewall rule to restrict the traffic from all other networks.

Thanks for the response Eric! Do you know if using the ISP LAN block provides any additional benefits? Or is it similar to creating a new VLAN or subnet on the firewall? 

Hi avett1058,

ISP Lan block? This isn’t advisable.

I recommend creating a new VLAN network different from your local network and then creating a new firewall rule to allow access to the internet or any other allowed network resources.

Creating a new VLAN will separate the network, set it up as DMZ as a zone for additional segregation, and finally, the Firewall Rule to block traffic between.

Hi avett1058  what you are trying to do is a transparent subnet gateway. The XG can do it, but it's not as clean as other vendors do it. Here is the link. https://support.sophos.com/support/s/article/KB-000035920?language=en_US

Option 2, and the easiest solution, would be to put a small switch in between your ISP handoff and your Sophos Firewall. You can then let your vendor plug into the small switch as well and use a public IP (LAN IP) from your ISP block they have assigned you.

In either case of using transparent subnets or using a small switch, the traffic would be separated. 

Also, ISP's call them LAN IP's, but they are WAN IP's 99% of the time. They just refer to them as LAN because they are typically assigned to the LAN interface of the CPE device they install. They are LAN in the big picture to them, but are WAN to you since that would be your public IP block, unless they use CGNAT, which is another topic.

Let me know if you need anymore help.

Thanks,

Michael

Hi avett1058  what you are trying to do is a transparent subnet gateway. The XG can do it, but it's not as clean as other vendors do it. Here is the link. https://support.sophos.com/support/s/article/KB-000035920?language=en_US

Option 2, and the easiest solution, would be to put a small switch in between your ISP handoff and your Sophos Firewall. You can then let your vendor plug into the small switch as well and use a public IP (LAN IP) from your ISP block they have assigned you.

In either case of using transparent subnets or using a small switch, the traffic would be separated. 

Also, ISP's call them LAN IP's, but they are WAN IP's 99% of the time. They just refer to them as LAN because they are typically assigned to the LAN interface of the CPE device they install. They are LAN in the big picture to them, but are WAN to you since that would be your public IP block, unless they use CGNAT, which is another topic.

Let me know if you need anymore help.

Thanks,

Michael

I would go with option 2 as well. Cleanest setup. No specials in the firewall needed.

Hi Michael. Really appreciate the reply!! Solves the questions I had.

Thanks,

Austin