This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible to use the same network/subnet for VPN clients as the internal interface?

I am using Sophos UTM 9. I often connect to the network via the "SSL VPN" from my macOS computer with OpenVPN/"Viscosity" front-end. The default network for SSL VPN is 10.242.222.0/24 (or something similar) and the internal network is 172.30.0.0/16. There are many devices on the network that are dual-homed and have both local network (172.30.0.0/16) IP addresses and Internet IP addresses, with the Internet/WAN IP address as their default and the gateway is not the Sophos UTM device. I must add rules to these devices route tables so that they know to access 10.242.222.0/24 via the local Sophos gateway at 172.30.0.1.

In the past I have used Netgear Prosafe devices with PPTP and have been able to use the same internal network for the VPN clients, removing the need to route 10.242.222.0/24 via the Sophos device.

Does Sophos support this? And if so, how is it done? Some kind of double-NAT situation?

What I'd like to do is set aside a /29 within the network for VPN clients only, such as 172.30.0.32/29, so that there is no chance of collision.

Any input is appreciated.

 

Thank you!



This thread was automatically locked due to age.
  • i use masquerade for this.

    masq VPN-traffic with internal interface for example.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Are you referring to the 'virtual static-IP' technique, described in the documentation, where-in VPN clients assigned dynamic IPs within the VPN IP pool (e.g. 10.242.2.0/24) can be assigned 'static' IPs, virtually, by way of SNAT/DNAT tricks? I forgot about this. I wasn't sure if it could be used with the same subnet as the internal network but now that I think of it, it should be able to. If this isn't what you're referring to, can you provide a link describing how to configure what you did?

     

    Thanks

  • no, what i mean is simple masquerading.
    All vpn-users are hidden behind the local interface IP.

    the disadvantage: you can not reach the VPN clients from the lcale network


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Brian, Remote Access via the SSL VPN uses four (4) IPs per connected user, so a /29 is likely too small to make your idea practical.  Without knowing how many SSL VPN users you have, it's hard to know if Dirk's solution is the only one for you.

    Where you have very few such users, you can use the following trick:

    1. For User brian, create a /32 Additional Address on the Internal interface "Internal [brian] (Address)"
    2. Create a NAT rule like 'SNAT : brian (User Network) -> Any -> Internal (Network) : from Internal [brian] (Address)'

    In that way, accesses by user brian will have a unique IP.  A side benefit is that you can create a DNAT to reach the remote device from inside the LAN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA