This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Isolated internet trouble through Sophos UTM Home router

Hey team, I have been working on this for a while and have come up with nothing, so I ask for your help. Here goes: 

  • New home network config with a Dell 7010 running Sophos UTM 9 Home. 3 NICs - (1) on-board Intel 82579LM 1G and (2) Broadcom NetXtreme BCM5709 1G. 
  • WAN (Intel) connected to cable modem and getting public IP
  • LAN 1 (Broadcom 1) connected to Cisco 3750 on home VLAN (personal network)
    • Various devices connect to the switch (APs, NAS) and the router is there to provide internet access. Pretty standard.
  • LAN 2 (Broadcom 2) connected to Cisco 3750 on work VLAN (workstation, IP phone for work)
    • Workstation and phone connect to corporate offices through IPSEC tunnels. Internet goes out local. Most everything works fine. 
  • Firewall rules are wide open. Internal networks are allowed to communicate out.
  • Masquerading rules are in place, both networks can get to the Internet. 
  • All filtering is off. IPS, App, Country blocking, advanced threats, etc.

The big problem I have is this: certain services won't connect. The two that I know about are: GoToMeeting video and Halflife 2 Deathmatch. I can connect to GoToMeetings, but when I try to share my webcam I get an error that says I have a slow connection and the other end only sees black. This has been consistent for the 2 weeks I have been setup here, and it happens from both my personal and work machines. Same problem on both subnets. The video works fine when I am plugged in directly to the modem however.

Also, HL2DM, which obviously I'm only testing from my personal machine, won't connect to servers. It gets as far as parsing game info and never any further. These are using the Valve anti-cheat system, but I never had trouble connecting to that before this setup. Also, just like GTM, the game works fine when I plug my PC directly into the modem. 

And that's where I am. Logs do not show packets being blocked, in fact they show them being allowed. My ISP has confirmed that no other configuration is required to use a router like this through their network (I am getting a public IP on the WAN interface). I will post any configs you would like to see, so I will go start working on those. Any help would be appreciated, I'm at the end of my knowledge of Sophos. Everything I have tried has made no change. Thanks!

Chris 



This thread was automatically locked due to age.
  • Switch config

    Building configuration...
    
    Current configuration : 4121 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Cisco3750
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 HASH
    !
    !
    !
    no aaa new-model
    clock timezone UTC -5
    clock summer-time UTC recurring
    switch 2 provision ws-c3750g-24t
    system mtu routing 1500
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-numbers
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-numbers
     revocation-check none
     rsakeypair TP-self-signed-numbers
    !
    !
    crypto pki certificate chain TP-self-signed-numbers
     certificate self-signed 01
      Bunch of numbers here
      quit
    !
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    !
    interface Port-channel10
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/1
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/2
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/3
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/4
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/5
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/6
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/7
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/8
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/9
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/10
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/11
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/12
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/13
     description NAS 1
     switchport access vlan 2
     channel-group 10 mode active
    !
    interface GigabitEthernet2/0/14
     description NAS 2
     switchport access vlan 2
     channel-group 10 mode active
    !
    interface GigabitEthernet2/0/15
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/16
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/17
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/18
     switchport access vlan 2
    !
    interface GigabitEthernet2/0/19
     switchport access vlan 20
    !
    interface GigabitEthernet2/0/20
     switchport access vlan 20
    !
    interface GigabitEthernet2/0/21
     switchport access vlan 20
    !
    interface GigabitEthernet2/0/22
     switchport access vlan 20
    !
    interface GigabitEthernet2/0/23
     switchport access vlan 20
    !
    interface GigabitEthernet2/0/24
     switchport access vlan 20
    !
    interface Vlan1
     no ip address
    !
    interface Vlan2
     ip address 192.168.XX.XX 255.255.255.0
    !
    interface Vlan20
     ip address 10.29.XX.XX 255.255.255.0
    !
    ip default-gateway 192.168.XX.XX
    ip classless
    ip http server
    ip http secure-server
    !
    !
    !
    !
    !
    line con 0
    line vty 0 4
     password 7 HASH
     login
    line vty 5 15
     password 7 HASH
     login
    !
    end
    

  • I ruled out the switch. Used a dumb switch for the WORK network and it does exactly the same thing. I'm thinking of factory resetting the UTM. 

  • New twist: using VPN software on my PC allows the traffic to pass through the UTM. My thought this morning then went to web filtering and HTTPS inspection. I played around with those settings, turning web filtering on, disabling HTTPS inspection, turning off again, but the only thing I was able to affect was my ability to connect to the VPN. (HTTPS inspection definitely breaks it)

    I'm still testing but anything you might think of would be helpful. Thanks!

  • Hi Chris and welcome to the UTM Community!

    What happens if you do #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I check logs for hours on end trying to see the traffic get stopped, but it's not. It's allowed. There are no routes in place at this point, I have re-installed UTM 3 times since last night, testing both the 32 and 64 bit installs. I was reminded today that in the past there were certain flags in the BIOS that needed changed, like turning off TPM and the virtualization capabilities of the processor. I have done and and reinstalled and still no luck. The traffic is allowed through the router but something is interfering with it that UTM isn't logging. 

    The traffic works if I use VPN software on the PC. Because it is already encrypted, the router simply forwards the packets. That it doesn't show up in the logs is a big part of the problem. I think I'm close to an answer, because I remember having this trouble when I first started using UTM home years ago. I thought changing the BIOS settings was going to solve it, but as yet I haven't changed the correct setting. 

    The only config in the UTM is the outbound Any Any Allow rule. 

  • It's the code. Tonight I installed 9.506 (this version from above) on older hardware (that had worked fine at my old house) and had the same problem. Then I found an older ISO and installed it, put in the same basic config (outbound allow rule and masquerade NAT) and boom, working. Granted I haven't tested everything yet, but the one thing that was blocked on my personal machine (that I knew of) is now working as expected. I will try this code version on the new hardware and see if it works as well, that will confirm my suspicion. 

    Then my questions are, whom to tell about this and how far to update? Thanks for listening. =)