This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assign a second public subnet to DMZ

pgross 3 months ago

Hi,

I'm using a XGS116 with SFOS 20.0.1 MR-1-Build342.

I've got a public subnet 1 (2.1.1.0/30) assigned by the ISP.
2.1.1.1 is their gateway.
2.1.1.2 is used as static IP of PortF1 (ISP1).
I've got a backup connection on Port3 (ISP2).
I've defined a SD-WAN-Route with ISP1 and ISP2 as primary and secondary gateway.
The route matched all traffic to Internet IPv4 Group.

Now I've got a second subnet by ISP1.
3.1.1.0/29 with gateway 3.1.1.1
My DMZ is on Port 2.

I'd like to assign this subnet solely to DMZ without using NAT.
I've tried to create a bridge between PortF1 and Port2, assigning 2.1.1.2 as IP and 2.1.1.1 as gateway.

This steps kind of destroyed the entire configuration (SD-WAN rules, site-to-site VPN connections, .... were gone).
But the new IPs (e.g. 3.1.1.2) weren't working on the machines located in the DMZ.

Did I miss anything?

All IP addresses are fictitious!

This thread was automatically locked due to age.

Top Replies

Mayur Makvana 3 months ago in reply to pgross +3 suggested

Hello, My bad, you need to add static route specifying destination. It will look like below: Destination IP: Specify the destination IP Address . Example: 1.1.1.3 & 1.1.1.4 Netmask: Specify the…

Parents

+1 Mayur Makvana 3 months ago

Hello,

You shall have to configure the proxy ARP to achieve this.

support.sophos.com/.../KB-000035927

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 pgross 3 months ago in reply to Mayur Makvana

Thanks, I'll try this.

The article says in step 3: Create similar unicast routes for the other two servers using the steps above.

What should this route look like?

Destination 1.1.1.3 on interface Port3-10.10.1.1
Destination 1.1.1.4 on interface Port3-10.10.1.1

?
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayur Makvana 3 months ago in reply to pgross

Hello,

Here, 1.1.1.3 and 1.1.1.4 assigned to the servers which are under Port3 DMZ zone as per the diagram given. These are not routes, we are defining transparent subnet gateway.

In your case, you shall have to add these for the internal servers on which you assigns the public IP directly (Which will be from 3.1.1.0/29 subnet as you specified in your notes).

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 pgross 3 months ago in reply to Mayur Makvana

Ok, so what is meant by the sentence "Create similar unicast routes for the other two servers using the steps above"?
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayur Makvana 3 months ago in reply to pgross
Hello,

My bad, you need to add static route specifying destination.

It will look like below:

Destination IP: Specify the destination IP Address. Example: 1.1.1.3 & 1.1.1.4

Netmask: Specify the Subnet Mask. Example: /32(255.255.255.255)

Interface: Select the interface, Physical, Virtual, or an Alias. Example: Port 3

Distance: Specify the distance for routing, the setting can be between 0 and 255. Example: 0
Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +3 Vote Down

Cancel

Reply

0 Mayur Makvana 3 months ago in reply to pgross
Hello,

My bad, you need to add static route specifying destination.

It will look like below:

Destination IP: Specify the destination IP Address. Example: 1.1.1.3 & 1.1.1.4

Netmask: Specify the Subnet Mask. Example: /32(255.255.255.255)

Interface: Select the interface, Physical, Virtual, or an Alias. Example: Port 3

Distance: Specify the distance for routing, the setting can be between 0 and 255. Example: 0
Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +3 Vote Down

Cancel

Children

0 pgross 3 months ago in reply to Mayur Makvana

Hi,

I've got it working!

Thank you!
Cancel
Vote Up 0 Vote Down

Cancel
0 Mayur Makvana 3 months ago in reply to pgross

Hello,

Thank you for feedback. We are glad to hear that the issue is fixed.

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel