Sophos XG Dual NIC setup and VMs IPs

J

jtmsrl

New Member
Oct 25, 2021
2
0
1
35
Hi, Im new to proxmox. I have a supermicro X8sil-f motherboard with dual NIC which I want to use in order to setup Sophos XG as my main router.

Right now, my pve network configuration looks like this, listening at 192.168.10.5

1635184412609.png

enp5s0 is connected to my ISP modem

My Sophos XG network devices are set as:
LAN: vmbr0
WAN: vmbr1

1635184455703.png

I can successfully connect to 172.16.16.16 when connecting the LAN port to a windows machine, the machine is getting an IP assigned (172.16.16.17) and I can connect to the internet.

The problem is that from this windows machine, I can not longer connect back to 192.168.10.5, which seems obvious. The not so obvious part (for me) is how should I configure my network in order to being able to connect back to proxmox from this new network?

All my VMs seems to grab an IP range from 172.16.16.x when sophos XG VM is up and running, but they get an IP from range 192.168.10.x when not. I guess the main goal is to leave everything getting IPs in the range 172.16.16.x or should this be a network configuration within Sophos XG itself?
 
I woudn't give your PVE host a IP on the vmbr1 if that bridge is used for WAN. That basically means your PVE management (SSH,WebUI and so on) is outside of your firewall and everyone on the internet can connect to it to try to hack your server.

In such a setup you describe, in general you want all your hosts to be in your 172.16.16.0/24 subnet including your proxmox host itself. And all should use the sophos LAN as a gateway and DNS server. But such a setup without redundancy can cause problems.
Lets for example say you want to upgrade your PVE from one mayor version to another one. For that you should stop all your VMs but at the same time you need a internet connecting while upgrading. But if the soohos VM is down no host in your LAN is able to connect to the internet.
Another problem could be that a PVE upgrade isn't working for your hardware and because of bugs your VMs couldn't start anymore. If your VMs can't start you can't downgrade to the working version or install a hotfix anymore.
And a hypervisor is very complex, depends on alot of software packages and runs on complex hardware. So its way more likely that something will fail and it can take many days to repair hardeare or reinstall everything. In that case nothing (except for your mobile phone) has a working internet connection which can be very annoying.

I dont know if sophos supports HA but with OPNsense/pfsense you can run two firewall VMs on different hardware and if one VM/server will fail the other one will jump in and replace it within a second. This all will be done on the fly because they both are always running and synced so you can reboot or backup one of the hosts at any time and wont loose the connection even when playing online, downloading some big files or whatever.
 
Last edited:
thanks for the tips and the heads up. I manage to connect all my home network and get an IP from the Sophos XG DHCP server.

I do have a "proper" router sitting on the shelf if anything happens to my proxmox machine.

One last thing Im missing is that I managed to configure VLANs and connect to my proxmox machine from a machine on a certain VLAN, but Im not able to connect to other VMs im the 172.16.16.0/24 subnet (but I can connect to proxmox and Sophos XG). Can this be a network configuration inside proxmox or a rule inside Sophos XG?

I managed to get access to proxmox using this rule, but it didnt work for the other VMs

1635254226935.png
 
jtmsrl said:
I do have a "proper" router sitting on the shelf if anything happens to my proxmox machine.

One last thing Im missing is that I managed to configure VLANs and connect to my proxmox machine from a machine on a certain VLAN, but Im not able to connect to other VMs im the 172.16.16.0/24 subnet (but I can connect to proxmox and Sophos XG). Can this be a network configuration inside proxmox or a rule inside Sophos XG?

I managed to get access to proxmox using this rule, but it didnt work for the other VMs

View attachment 30808
Click to expand...
As soon as you start using more professional features like VLANs, routing between multiple subnets/VLANs and so on you won't be able to use your backup router anymore (if that isn't a proper HW firewall running something like sophos or atleast OpenWRT too) because normal consumer routers just won't allow you to use such stuff.

Whats does your /etc/network/interfaces look like right now?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom