Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
i'm having an issue with a UTM where one customer has issues with a provider connecting to their UTM and the FW log blocks the connection with "spoofed packet" detected.
so far i've traced the issue and i think it's a subnetting issue, here's the environment:
the firewall log shows spoofed packets from 126.96.36.199 to [WAN2 IP]
from what i can infer, the issue is that the provider is using a IP that corresponds to the WAN1 subnet (but it's not used or declared in UTM), ¿but shouldn't this be normal?, i mean an isp can assign a ip subnet to multiple customers with different ip on the same subnet and they can access eachother no issues, ¿why is this failing here?
How are the settings of these WAN interfaces in UTM? Two interfaces?
In reply to Alexander Busch:
Yes, they're two different physical interfaces and two different ISPs with totally different IP addresses
you can't use the same network (or subnet of a network) on two different interfaces!Ask the provider for the correct subnet or if both networks are private (RFC1918) ask one provider for a change.
In reply to JosefBergmann:
¡but i'm not using the same network!, as i've told you, both WANs have absolutely different IP networks
the provider (external) is accessing WAN2 from a IP that belongs to WAN1 subnet, that's it. And utm treats it as a spoof incorrectly, i can't even find how to whitelist this or i'm going to have to disable spoof protection system-wide
In reply to Mast_01:
But the interfaces are connected on a layer 2 basis, right? IP network is layer 3.
I also said "or subnet of a network". E.g. you can't use 10.1.2.3/24 on WAN1 and 10.1.2.129/25 on WAN2.
Now I'm curious about this IP-networks, can you send me them via PM. I will check the holder.
but it's not a subnet either, i get the feeling there has been a misunderstanding on the addresses i gave as example.
WAN2 has a different ip, net, different everything from WAN1 as i stated on the first post.
Alexander, i'm not sure what you mean by "But the interfaces are connected on a layer 2 basis, right? IP network is layer 3.".
i'll PM you teh addresses but i don't think it's going to be of much use
To clarify - the traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet?
The utm would expect any and all traffic in WAN1's subnet to come in on that interface - you have declared to it that WAN1 is the link into that network not WAN2.
In reply to RichardP:
EXACTLY, traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet.
i see, so every address inside certain subnet cannot come from outside that interface from what you tell me (i suspected as much but never came across this issue).
So what i should ask the ISP is for a tighter subnet mask so that external ip falls outside the subnet of WAN1
Don't worry about the ISP's subnet being in the Interface definition in the UTM. Unlike most routers that require the ISP's default gateway to be within the subnet, the UTM does not.
Please alter your initial post so that it's clear that your definitions don't overlap. Instead of 1.2.3.x, obfuscate IPs like 181.XX.YY.150, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical.
What interests me is that the ISP routes the other ISP's subnet directly to you. They need to correct their routing.
Cheers - Bob