This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM cannot get a WAN address through the cable modem

I recently installed 9.703-3 as a VM on an ESXI 6.5u2 setup.  I am having issues with the WAN interface being able to get an address from the cable modem (Spectrum).

When I connect the cable model to the WAN port, the interface shows as Down/Error.  In past I've had an issue where the cable modem required a power cycle whenever I connected it to a new device (I'm assuming it has something to do with the MAC address).  However, no amount of power cycling of the cable modem and rebooting of the Sophos UTM VM has resolved the issue.

Any and all help will be greatly appreciated. 

This is what the log shows.

/usr/sbin/cron[16427]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
/usr/sbin/cron[16431]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
/usr/sbin/cron[16432]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
dns-resolver[5523]: DNS server failed to contact!
dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13
dhclient: No DHCPOFFERS received.
dhclient: No working leases in persistent database - sleeping.
dns-resolver[5523]: DNS server failed to contact!
dns-resolver[5523]: DNS server failed to contact!
dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11
dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
dhclient: No DHCPOFFERS received.
dhclient: No working leases in persistent database - sleeping.
dns-resolver[5523]: DNS server failed to contact!

 

EDIT 1

I changed the MAC address to that of the router that works, but this didn't resolve the issue.

EDIT 2

I tried to see if the WAN interface would be able to get an address from the my local DHCP server, but no go here either.  Given this along with the MAC spoofing, I am more inclined to believe that there's a configuration issue (the configuration was done through the first-run wizard), and that the problem isn't with my ISP.

EDIT 3

Well, I tried to see if I could get the interface working somehow, so I manually assigned it an address in the same network at the LAN interface.  Clearly, this wasn't a good idea, because now I cannot access Webadmin.  Worse, the assigned address is persistent.  I have gone in through the command line to change it and to take down the interface, but each time I reboot, the IP assignment is back.  Can someone help resolve this issue first, so that I can access the Webadmin interface?

EDIT 4

I came across this post: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/27971/changing-internal-ip

I've been trying to follow the directions listed:

Unfortunately, I'm a bit confused after step 9.  I've tried a couple of things, but when I "write" it reverts back to what it was.

EDIT 5

The previous instructions weren't exactly right, but these seem to work.

I even managed to inactivate the WAN interface.  But, now I am still having the problem of not being able to access Webadmin.  Any one have any suggestions?  I must say, this seems pretty easy to break by doing something as simple as a mis-configuring (deliberately in this case) an interface pretty much ends the functionality of the device. 

EDIT 6

Okay, I managed to get into Webadmin once I enabled (changed the interface status to 1).  So, the Webadmin issue is fixed, and it was a good lesson too.  However, the main issue still remains.  How do I fix the WAN/cable modem/DHCP issue?



This thread was automatically locked due to age.
  • If you're doing any sort of mac spoofing, you'll need to adjust the esxi portgroup or vswitch security.

    It could be that your modem/isp is rejecting the mac from the requesting vnic if not spoofing.  Depending on your system, you could also try passing the wan interface directly to UTM.  If so, the above is no longer necessary as utm has direct access to the interface.

  • Thank you for your reply.  I'm going to try what you've suggested.  Here's the thing though, the interface (it's a dual port intel nic) wasn't able to get an address from the home DHCP server either, even before I spoofed the MAC.

  • Hmm...

    You'll need to do more digging then.  Are you able to see the dhcp requests on your home server?

     

    Post up pics of your port group, vswitch and physical nic configurations.  I suspect something isn't right there.

  • Hmm, I changed the settings you stated, but they've reset to the third "inherit" option.  Do I need to reboot the host for the changes to stick (my knowledge of ESXi is rather limited)

    okay, I changed the promiscuous mode here.

     

    EDIT 1

     

    I wasn't able to see anything on the home server's DHCP logs of any request.

  • You forgot one major part!!!

     

    YOU HAVE NO UPLINK!!  Uplink is the part that links the vswitch to a particular physical nic.  A vswitch does not need an uplink.  I'm running a server on its own virtual network, it's linked to the firewall via vswitch. No uplink is needed because it doesn't need access to any 'real' nics.  Access to this server is only possible through utm.  Configure your uplink and undo the security changes above (as they're not likely to be needed).

     

  • If this is what it was, I'm going to actually punch myself in the face for overlooking something so basic.

    Let me get this sorted, and let me see what happens.  Standby

  • Well my friend, you nailed it.  That was the problem.  Once I added the uplink the UTM roared to life.  Thank you a thousand times for resolving this issue for me!

  • Glad it worked out for you.  It took me some time to wrap my head around all the exsi network functions when I was starting out. For WAN I choose passthrough mode because of gigabit.  Wasn't sure how well a vnic would handle that (actually 2 vnic's because lan & wan).  However, in testing with other firewalls which use a vnic for both, it hasn't been a problem.