Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Content
Overview:
To avoid conflicting routing issues that can result in malfunctioning RED connection problems between Sophos Firewall or UTM, we recommend always avoiding having the RED uplink network overlap with any split network part of the configuration.
For example, the RED uplink router has a network range of 192.168.1.0/24, and one of the internal split networks has the same network.
It is very common for some ISPs to provide the routes/modem preset DHCP configuration to their devices on the range 192.168.1.0/24, which means that the RED WAN link will pull one IP from this range.
Scenario:
In a scenario where the conflict exists, it is possible to see some fallback calls on the syslog.log pulled out from the RED log, which are used whenever there might be a configuration/setup problem with the RED.
2019:08:01-11:40:10 hq-1 red_server[6922]: A3501F4A4555555: command '\{"data":
{"message":"Received device configuration from UTM using network fallback mode successfully"},"type":"DISCONNECT"}'
NOTE: In some circumstances having the RED uplink network overlapping with one of the split networks,
will not affect the tunnel connectivity, but those events having this configuration will not be guaranteed since this is not a supported setup.
What are the options or recommended approaches?
- Change the internal network of that split network being advertised
- Change the modem's private IP range to not be in the split network range (easiest and recommended)
- Change to full tunnel
- Put the ISP modem into bridge mode and have the public IP on the WAN interface of the RED. This won’t work if it's a PPPoE connection (most difficult, and not many modems and ISPs support this)
Revamped RR
[edited by: Erick Jan at 3:36 AM (GMT -7) on 10 Oct 2024]