Network Configuration Issue

Question

##### Aktualna konfiguracja 
 **Router:** - Adres IP: 192.168.1.1 - Maska podsieci: 255.255.255.0 
 **Sophos:** - Interfejs LAN: 192.168.1.79 - Interfejs WAN: 192.168.2.1 
 **Reguła wyjątku listy ACL usługi lokalnej:** - Strefa źr&oacute;dłowa: WAN - Sieć źr&oacute;dłowa: WAN (192.168.1.0/24) - Host docelowy: 192.168.2.1 - Usługi: HTTPS - Akcja: Akceptuj 
 **Reguła zapory WAN_TO_LAN:** ​​- Strefy źr&oacute;dłowe: WAN (port2) - Sieć źr&oacute;dłowa: WAN (192.168.1.0/24) - Strefy docelowe: LAN (port1) - Sieci docelowe: ACCESS_TO_LAN (192.168.2.0/24), SOPHOS (192.168.2.1) - Usługi: HTTPS, PROXMOX/8006, SOPHOS/4444 
 ##### Opis problemu 
 Mam problem z łącznością, polegający na tym, że urządzenia w sieci 192.168.1.0/24 nie mogą uzyskać dostępu do usług w sieci 192.168.2.0/24 ani do panelu zarządzania Sophos pod adresem 192.168.2.1. 
 **Szczeg&oacute;ły:** - Routera nie można ustawić w trybie mostu. - Router ma skonfigurowaną strefę DMZ na 192.168.1.79. - Pr&oacute;by połączenia z telefonu (192.168.1.33) przez Wi-Fi kończą się niepowodzeniem. - Pingowanie z adresu 192.168.2.1 do sieci 192.168.1.0/24 kończy się powodzeniem. - Pingowanie z sieci 192.168.1.0/24 do sieci 192.168.2.0/24 kończy się niepowodzeniem, a żadne logi nie pokazują pr&oacute;by. - Pingowanie portu 1 (Sophos LAN, 192.168.1.79) z sieci 192.168.1.0/24 kończy się niepowodzeniem. - Podłączenie laptopa za pomocą kabla z ustawieniami sieciowymi 192.168.1.78, 255.255.255.0 i bramą 192.168.1.79 umożliwia dostęp do panelu zarządzania pod adresem 192.168.2.1. 
 ##### Prośba o pomoc 
 Potrzebuję pomocy w zdiagnozowaniu, dlaczego urządzenia w sieci 192.168.1.0/24 nie mogą uzyskać dostępu do usług i panelu zarządzania w sieci 192.168.2.0/24 pomimo powyższej konfiguracji. Wszelkie sugestie lub spostrzeżenia dotyczące tego, co może być nie tak lub jakie dodatkowe konfiguracje mogą być potrzebne, byłyby bardzo mile widziane.

Raphael Alganes · Accepted Answer

Hello Dominic, 
 Thanks for reaching out to Sophos Community. 
 I suspect you're missing a static route on the "Router" and Sophos Firewall. You need to: 
 - configure a static route on the router to introduce 192.168.2.0 network (Sophos WAN Network) 
 -and then Static route configuration on Sophos Firewall introducing the 192.168.1.0 network (You may follow this document guide how to configure static route on SF: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/StaticRouting/index.html ) 
 -Then a Firewall Rule on SF with configuring appropriate source: zone/network and destination: zone/network 
 
 Notice that these two tests succeed: 
 This succeeded because 2.1 ("Sophos WAN" IP) is directly connected to the "Router" IP - 192.168.1.1 through "Sophos LAN IP" - 192.168.1.79 
 Dominik Potocki said: - Pinging from 192.168.2.1 to the 192.168.1.0/24 network succeeds 
 
 This succeeded because you explicitly set the Default Gateway to be 192.168.1.79 which is the "Sophos LAN IP" that is directly connected to 192.168.2.0 network 
 Dominik Potocki said: - Connecting a laptop via cable with network settings 192.168.1.78, 255.255.255.0 and gateway 192.168.1.79 allows access to the management panel at 192.168.2.1. 
 
 On the other hand, these two statements I do not clearly understand: 
 Dominik Potocki said: The router has a DMZ configured on 192.168.1.79. Dominik Potocki said: - Pinging port 1 (Sophos LAN, 192.168.1.79) from the 192.168.1.0/24 network fails. 
 You said "Router" has a "DMZ" Configured at 192.168.1.79 - Could you further elaborate on this? Because as I see on the diagram you provided 192.168.1.79 is "Sophos LAN" IP - This is what I suspect on why pinging port1 from 192.168.1.0/24 fails. 
 
 Further, I think you have a somehow confusing network setup, I may recommend and point a few things, completely up to you if you would take it and if your technical consideration/requirements would fit. 
 1. The 192.168.2.0/24 network is connected to Sophos Firewall WAN Zone: 
 
 And then you're using and connecting through "LAN" zone to reach the "Router" which I assume the Default gateway to the internet, which may potentially cause NAT issue (Masq) when a traffic comes into a LAN port then gets NATed on the WAN zone through the FW rule/NAT 
 
 2. I may recommend you to Bridge the Sophos Firewall instead to the existing network 192.168.1.0, you may follow a use case here: 
 Transparently insert Sophos XG in a working network 
 -This way you can still filter traffic for clients behind the Sophos Firewall without you disrupting you're current network setup 
 
 3. Make the necessary changes on the interfaces Zone: This way your network setup (Zones, Network, Static routes and FW Rules would be more straightforward)

-and if you can kindly avoid 192.168.1.x 0.x schemes as this might cause network issues down the road (e.g. this IP range sare the usual default out of the box of general networking devices such as home routers, IP cams, printers, etc.) 
 With all these being said, I do hope we're able to assist you on your case. If you want to take this further, I recommend you reach out to your Sophos Sales Engineer or Sophos Partner. 
 Hope you have a nice day and thank you for choosing Sophos. 
 Cheers,

Raphael Alganes · Answer

Hello Dominik, 
 I may recommend you follow my number 3 option outlined above for your setup. 
 For a less disruptive setup on your network, then option number 2 
 Then for this requirement: 
 Dominik Potocki said: Now, I have configured specific port forwarding on the ISP router and DNAT on the Sophos for the services I want to expose. To connect to the Sophos control panel at 192.168.2.1, I will likely configure SSL VPN Remote Access. 
 Likely you will need to follow this guide below: 
 Sophos Firewall: How To Configure SSL VPN Remote Access When Sophos Firewall is Behind a NAT Device 
 Thanks,

Network Configuration Issue

Top Replies