Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 4498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible to use the same network/subnet for VPN clients as the internal interface?

Brian Jackson

I am using Sophos UTM 9. I often connect to the network via the "SSL VPN" from my macOS computer with OpenVPN/"Viscosity" front-end. The default network for SSL VPN is 10.242.222.0/24 (or something similar) and the internal network is 172.30.0.0/16. There are many devices on the network that are dual-homed and have both local network (172.30.0.0/16) IP addresses and Internet IP addresses, with the Internet/WAN IP address as their default and the gateway is not the Sophos UTM device. I must add rules to these devices route tables so that they know to access 10.242.222.0/24 via the local Sophos gateway at 172.30.0.1.

In the past I have used Netgear Prosafe devices with PPTP and have been able to use the same internal network for the VPN clients, removing the need to route 10.242.222.0/24 via the Sophos device.

Does Sophos support this? And if so, how is it done? Some kind of double-NAT situation?

What I'd like to do is set aside a /29 within the network for VPN clients only, such as 172.30.0.32/29, so that there is no chance of collision.

Any input is appreciated.

 

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    i use masquerade for this.

    masq VPN-traffic with internal interface for example.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Are you referring to the 'virtual static-IP' technique, described in the documentation, where-in VPN clients assigned dynamic IPs within the VPN IP pool (e.g. 10.242.2.0/24) can be assigned 'static' IPs, virtually, by way of SNAT/DNAT tricks? I forgot about this. I wasn't sure if it could be used with the same subnet as the internal network but now that I think of it, it should be able to. If this isn't what you're referring to, can you provide a link describing how to configure what you did?

     

    Thanks

  • 0 in reply to Brian Jackson

    no, what i mean is simple masquerading.
    All vpn-users are hidden behind the local interface IP.

    the disadvantage: you can not reach the VPN clients from the lcale network


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to Brian Jackson

    no, what i mean is simple masquerading.
    All vpn-users are hidden behind the local interface IP.

    the disadvantage: you can not reach the VPN clients from the lcale network


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML