Configuring Firewall with LAN with private IPs and DMZ with public IPs

Question

Hello 
 I want to configure my Firewall to have a private LAN with private IP Addresses and a DMZ Zone with our public range (255.255.255.224). 
 In the public zone it must be possible to reach the devices directly by public IP address and to connect via VPN to have access to data in a secure way. 
 How it could be done? 
 I created a simple picture for illustration. 
 
 Thank you for replying. 
 Regards 
 Chris

Firewalls.com Inc · Answer

The Sophos XG Firewall has the ability to become a multi-port bridge therefore can be used as a layer 2 switch or router to interconnect multiple segments. 
 
1.) You will need to create a multi-port bridge, bridging your WAN interface to your DMZ interface. 
See Video: www.youtube.com/watch 
 
NOTE: Just be sure you select the appropriate Zone and Interface according to your setup/configuration. 
 
2.) You would use a Network Policy to restrict/limit access from LAN to DMZ. 
 
NOTE: If you are looking to use a VPN tunnel, the VPN would have to be terminated to the server itself so the server would have to be a VPN Server, else the data would come from the client on the LAN to the XG Firewall encrypted then the XG Firewall will decrypt this and send it to the DMZ insecure. 
 
Stay tuned in to our YouTube channel for more HOW TO VIDEOS to come!

lferrara · Answer

Chris, 
 What Alans said is correct. You are trying to use the same IP subnet among 2 different nic. You have to bridge wan and dmz together in order to get it working but to be honest bridging WAN and dmz is not really safe. 
 What I advice you is to talk to your isp and split your public IPs in 2 subnet (one for WAN and one for dmz). You will lose some public IP but this is the best way IF You want to use public ip in dmz. 
 Vpn, instead should terminate on WAN.

Firewalls.com Inc · Answer

Chris, 
 I can confirm functionality of this does work with creating the interface bridge and selecting both the WAN and DMZ zones with routing enabled on the bridged interface pair. lferrara has a good suggestion for splitting up your IP blocks, however if you need all of your public IP's why not just assign your servers private IP's, put them on a different subnet in the DMZ and just create the NAT's to the DMZ using the Business Application Firewall Rule's? 
 -Alan