Configuring Firewall with LAN with private IPs and DMZ with public IPs

The Sophos XG Firewall has the ability to become a multi-port bridge therefore can be used as a layer 2 switch or router to interconnect multiple segments.

1.) You will need to create a multi-port bridge, bridging your WAN interface to your DMZ interface.
See Video: www.youtube.com/watch

NOTE: Just be sure you select the appropriate Zone and Interface according to your setup/configuration.

2.) You would use a Network Policy to restrict/limit access from LAN to DMZ.

NOTE: If you are looking to use a VPN tunnel, the VPN would have to be terminated to the server itself so the server would have to be a VPN Server, else the data would come from the client on the LAN to the XG Firewall encrypted then the XG Firewall will decrypt this and send it to the DMZ insecure.

Stay tuned in to our YouTube channel for more HOW TO VIDEOS to come!

Chris, were you ever able to get this working? I am trying to do pretty much the exact same thing. I am currently testing both the UTM 9 and XG for our office network. I had no problem doing this on the UTM 9, but can't seem to get it working on the XG. Once I create the bridge pair, I lose internet access from the LAN side.

Matthew

Hey Matthew,

     Couple of questions, is it DNS related or can you not even ping the WAN gateway or google DNS 8.8.8.8? Also, is routing enabled on the bridged interface pair? 

I can't even ping the gateway, let alone an upstream address like Google's 8.8.8.8.

I have tried with routing enabled, and with routing disabled--though I assume that 'enabled' is what it should be set at. Before I create the bridge (that is, just a LAN and WAN interface) pings and DNS resolution work fine from the LAN segment. The bridge bungles it all.

This is on an ESXi VM, with the LAN and DMZ connected to isolated vSwitch networks.

Chris,

What Alans said is correct. You are trying to use the same IP subnet among 2 different nic. You have to bridge wan and dmz together in order to get it working but to be honest bridging WAN and dmz is not really safe.

What I advice you is to talk to your isp and split your public IPs in 2 subnet (one for WAN and one for dmz). You will lose some public IP but this is the best way IF You want to use public ip in dmz.

Vpn, instead should terminate on WAN.

Hi

we use only public ips in out dmz. but we have also add an private ip network for internal routing.

in the static routing interface we have add the public ip address with interface but without gateway.

the servers have normal private ip address with private gateway ip.

now we have add public ip adress /32 on each server as secondary.

the good one is we can use all ip address and don't need network or broadcast ip.

Chris,

     I can confirm functionality of this does work with creating the interface bridge and selecting both the WAN and DMZ zones with routing enabled on the bridged interface pair. lferrara has a good suggestion for splitting up your IP blocks, however if you need all of your public IP's why not just assign your servers private IP's, put them on a different subnet in the DMZ and just create the NAT's to the DMZ using the Business Application Firewall Rule's? 

-Alan

I have resolved my issue. Because I am testing XG in a VMware ESXi VM, I needed to enable Forged Transmits and Promiscuous mode on the vSwitch attached to my WAN interface. Once these changes were made, the WAN-DMZ bridge started forwarding traffic as desired.

I hope this helps others, and thanks to all who responded on this issue.

Matthew,

nice to know you have fixed it. On Community you find other article on how to deploy UTM and XG (bridge mode) inside Vmware.

[:D]