This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question add additional public subnet on Sophos SG UTM

Hello,

I have a question how to add an additional public subnet to the SG UTM.

But first to the initial situation. I have so far on the WAN interface of the UTM a public IP (112.50.20.108/29). As gateway from the provider the IP 112.50.20.105/29 is specified. Additionally I got the IP 112.50.20.109/29 and 112.50.20.110/29. I have entered these as additional IP address on the UTM. This works very well. I can use these IP addresses without any problems.

But now I need additional public IPs. For this purpose the provider gave me another subnet (112.50.20.112/29). How do I integrate this on the UTM on the WAN interface? It is another subnet. Here also no further gateway address was made available, this is to be further the 112.50.20.105/29.



First public subnet and stored on the WAN interface of the UTM:

Network address:
112.50.20.104/29
Gateway:
112.50.20.105/29
WAN IP on the UTM:
112.50.20.108

Host range:
112.50.20.105
to:
112.50.20.110


New second subnet:
Network address:
112.50.20.112/29

Host range:
112.50.20.113
to:
112.50.20.118



How can I store this on the WAN interface of the UTM?



This thread was automatically locked due to age.
  • Hi,

    just add the first IP 112.50.20.113 as additional IP on the WAN interface.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • First of all, thank you for the answer. On the tab "Additional address" I entered this IP, but it does not work. I can not reach the IP, with the previous public addresses it works fine.

    I noticed a peculiarity the other day when I used tracert. Before the IP 112.50.20.113 was stored under additional addresses, the last entry is the WAN IP 112.50.20.108. After that there is only * * *. The provider must forward directly to my WAN IP on its gateway.


    7 20 ms 20 ms 20 ms ....net [112.50.30.3]
    8 20 ms 20 ms 112.50.20.108
    9 * * * Request timeout.

    If I store 112.50.20.113 as an additional address, it looks like this.

    7 20 ms 20 ms 20 ms ....net [112.50.30.3]
    8 * * * Request timeout.


    What is the problem here? How can I use the new public IP addresses?

  • Hallo and welcome to the UTM Community!

    Usually, I would create a DMZ with the additional public subnet, have the ISP route to it through 112.50.20.108 and give the internal devices public IPs in the DMZ subnet.  Does that approach work in your situation?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, that might be a possibility. For example, I would like to run the SPX portal from the UTM over one of the new public IP addresses.

    What would be the best way to configure this on the UTM? Do I need to create that as a physical interface or a VLAN or something else?

    And what do I specify as the gateway on this interface? The ISP said that there is no gateway from them in this subnet.

  • Hi,

    it should work as I mentioned (use one IP from the additional net). Important is only that the provider route the additional net 112.50.20.112/29 to your wan IP 112.50.20.108.

    The filtered traceroute is no sign of a mistaken configuration here. traceroute use per default UDP-packets which mostly gets filtered. I you want test this, first allow ping on the WAN site (Network Protection -> ICMP -> Gateway is ping visible) and then use "traceroute -I 112.50.20.113" (or similar to use ICMP on traceroute).

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • So I simply entered the IP 112.50.20.113 from the new subnet under "Interface & Routing → Interface → Additional Addresses". There is also 112.50.20.113 on Interface eth1 (Internet). So I also entered the other IP addresses from the previous subnet (112.50.20.104/29) and they work fine. But the new subnet (112.50.20.112/29), for example the 112.50.20.113 does not work. I looked again and ICMP is visible. (Network Protection -> ICMP -> Gateway is ping visible).

    Then I used traceroute -I 112.50.20.113 and the result is the same as above. You can see above that the ISP forwards it to 112.50.20.108, this was also assured to me by the ISP. Also a direct ping to the new IP 112.50.20.113 is not possible. On the previous and other IP addresses (112.50.20.104/29) under Additional Addresses a ping is possible.

    I have also changed the SPX portal of the UTM (Email Protection → SPX Encryption) to the new IP 112.50.20.113 on a test basis, but it does not work. If I change it back to 112.50.20.108, for example, the portal works again. Similarly, 112.50.20.109 works, so the portal works, but not with 112.50.20.113 or any other IP from the new subnet.

  • So I simply entered the IP 112.50.20.113 from the new subnet under "Interface & Routing → Interface → Additional Addresses". There is also 112.50.20.113 on Interface eth1 (Internet).

    You have the IP 112.50.20.113 in Additional Addresses and on the Interface eth1 itself also?

    Send me as PM a screenshot of "Interfaces" Internet/eth1 "Edit Interface" of "Additional Addresses" and from "Network Protection" NAT -> Masquerading and NAT.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria