Migrating Firewall And Splitting Networks
This will be an almost technical post that probably nobody will find useful — oh, pishposh.1 Maybe by getting practice I’ll get better with this kind of content.
The Premise
Our company had an obsolete Sophos XG firewall that had to be replaced with a new XGS model.
In addition, the network had to be split from a single one, e.g., 192.168.0.0/24, into two: 192.168.99.0/24 and 172.16.99.0/24.
Then all the machines’ IPs had to be changed accordingly.
My duty was to plan the migration and configure both firewalls.
The new firewall had to be attached to the same network switch, to which I didn’t have access. A colleague of mine did the dirty work of the initial installation and configuration; the rest was done via VPN to the old firewall.
At first I thought to keep it simple and just let the two machines share the same switch, then change IP and default gateway. Since they would be on different networks, I thought there wouldn’t be problems. Some research, though, convinced me to change my approach.
The Quick Solution
An IPSec tunnel between the firewalls.
I honestly would never have thought about that, but it worked smoothly.
The key is to use a new temporary network just for the IPSec VPN ports, which Sophos calls XFRM.
For example, 123.123.123.0.
It could be a /30 subnet, maybe even /31, since it only has two hosts, and it has the key function of allowing traffic between the old network and the two new ones.
So, after configuring the IPSec tunnel and creating the appropriate firewall rules2, it was easy to implement the original idea: change IP and default gateway on the machines to point to the new firewall.
The Obvious, Obnoxious, Unexpected Error
After changing the network for a couple of VMs, we noticed a strange issue: SSH from the old network to the new one didn’t work properly. There was connectivity to the port, but the SSH process was just stuck.
After three, maybe four, hours of tries and attempts, I figured out3 that the problem was the Maximum Segment Size on the XFRM ports. I decreased it from 1360 to 1350 only and… voilà. All issues were suddenly gone.
From there, the remaining steps were easy and natural: finish changing the static IPs and the gateway on all the machines according to the new networks, and then switch DHCP.
It is banal to say, but it’s important not to have two DHCP servers on the same switch: first I turned off the old firewall’s, then created the new DHCP lease on the new one. I chose a segment in one of the two new networks, but a good practice could be creating a new ad hoc network (and the appropriate firewall rule) to quickly recognize DHCP-provided addresses.
Conclusion
At last, when all the VMs and machines pointed to the new firewall, the IPSec tunnel could be turned off with no impact.
The old 192.168.0.0/24 and the temporary network 123.123.123.0/30 could be deleted from the new firewall — and the old machine was finally powered off after several years of duty. 🫡
Downtime: none! 🍾
🎮 Just no.
🎧 A fine metal band *chef’s kiss*
📖 I started a sci-fi classic — or better, its sequel
This will be an almost technical post that probably nobody will find useful — oh, pishposh.1 Maybe by getting practice I’ll get better with this kind of content.
The Premise
Our company had an obsolete Sophos XG firewall that had to be replaced with a new XGS model.
In addition, the network had to be split from a single one, e.g., 192.168.0.0/24, into two: 192.168.99.0/24 and 172.16.99.0/24.
Then all the machines’ IPs had to be changed accordingly.
My duty was to plan the migration and configure both firewalls.