New User Urgent Help With Zone To Zone Required Please

Hi,

 

I have just installed this morning coming from pfSense and have connected to the internet but require my LAN & WiFi Ports to see each other.

 

I have configured the zone to zone firewall rule to any from any but it is not working?

 

Wife & Kids are going mad as we are in lockdown :-(

 

Massive thanks to any help in advance!

 

  • If you remove Match know users and Show captivity portal to unknow users under Identity. Does it work then?

     

    //Rickard

  • Hi,


    First of all, Uncheck "Match Known Users", unless you have an Authentication Server such as AD or created Clientless Users on XG there's no need to have it checked.

    If you have Match Known Users enabled, the rule will only apply to authenticated users found by XG.

     

    Second; Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.

    Use the Correct Zone and Networks for the rules creations.

     

    Here's an example:

    Thanks,

  • In reply to Prism:

    Thanks so much for your replies!

     

    I just got it working as I was (made sense at first to me) set my port 3 (Wireless) to WiFi and was trying to zone them together but it would not work so I changed the network zone to LAN on port 3 then zoned LAN to LAN instead of LAN to WiFi and now up & running! :-)

     

    Your destination screenshots (WiFi LAN & Wired LAN) did you create those as ip ranges?

     

    Thanks so much for your replies   

     

    Just port forwarding to get working (cannot understand why it is not) but I will create a new post for that :-)

  • In reply to Martyn Campbell:

    Just noticed though, even though my two LANS are now talking to each other, why would I be getting all this blocked traffic?

     

  • In reply to Martyn Campbell:

    Did you have a proxy configured in the old firewall and that is setup on the clients?

     

    //Rickard

  • In reply to RickardNordahl:

    Thank you, good point, I may have done, sorry for jumping, just amazing how much there is to setup after using pfsense for a couple of years.  Happy to say sophos is far friendlier to use, a couple of quirks but am getting my head around it slowly :-)

  • In reply to Martyn Campbell:

    Glad to be of service. Good luck on you Sophos Endevors :)

     

    //Rickard

  • In reply to RickardNordahl:

    Hi,

     

    I thought I had resolved this but unfortunately I haven't, only a partial success.

     

    I have 3 LAN interfaces 

    DHCP is running for all 3 devices subnet ranges.

    You can also see that the devices are in the lease table but I am unable to ping them 

    yet even though in the screenshot above I cannot ping (anything) one example is 192.168.2.50 A Windows Backup Server that is connected, up & running & on the internet as well  I have also connected to it from 192.168.0.3 via local remote desktop and as you can see from this screenshot I am unable to ping the device that is remote controlling it either but I can ping the sophos gateway.

    I have also created ip-range source & destination zones, so well covered there.

    Any input greatly appreciated!

     

     

     

  • In reply to Martyn Campbell:

    First, I would enable logging on the rule to see what is happening to the traffic. 

     

    Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.

     

    And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?

     

    //Rickard

  • In reply to RickardNordahl:

    Thank you so much for taking the time to reply!

     

    First, I would enable logging on the rule to see what is happening to the traffic. 

    I have enabled logging, but cannot even see any entries to the IP I am pinging in the log viewer?  when logging is enabled does it write to here?

    Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.

    I had that originally and was advised against it by Prism

    Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.

     

    And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?

    I can only presume it is as if I shut down my Sophos VM and go back to my old PfSense VM everything can see everything

     

     

  • In reply to Martyn Campbell:

    In Log Viwer under Firewall you should see the entry from the source IP and Destination if it hits your rule.

     

    "Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG."

    Well, now here is the thing. If the zone contains one subnet only it dosent really matters, but anyway I am simply trying to rule out missconfiguration of the networks in the firewall objects.

     

    So I wold do a rule Source zone: Lan or the name of the zone(were you computer is located) source network Any, Dest Zone: Name of the zone where the server are, source network. Any Protocol Any. And place it on top of the rule base. Enable loging.

     

    What you could try as well is under diagnostics in the firewall try to ping the server is question to se if that works. If not look att the ARP table in the firewall as see if you can find the MAC address of the server. And check that the Default GW for the server is set to the XG.

  • In reply to RickardNordahl:

    So I wold do a rule Source zone: Lan or the name of the zone(were you computer is located) source network Any, Dest Zone: Name of the zone where the server are, source network. Any Protocol Any. And place it on top of the rule base. Enable loging.

    Ok, If I do what you say (pictured below) I lose internet connection so I have disabled this rule for now.

     

     

    What you could try as well is under diagnostics in the firewall try to ping the server is question to se if that works. If not look att the ARP table in the firewall as see if you can find the MAC address of the server. And check that the Default GW for the server is set to the XG.

    Ok, this just proves my issue

    I cannot find this ARP table you mention? this is all I can find that relates to ARP

     

    Here are all my rules just in case you can see something else wrong?

     

     

    Thanks again for your time!

  • In reply to Martyn Campbell:

    The rule you created have the WAN zone as destination, remove that and it will work again.

     

    Under diagnostics remove the Interface and let it in automatic so the firwall itsef can see if it can find the correct network using the routing table. And try to ping again.

     

    When it comes to ARP table (You are in the correct place) in the drop down list you have an option that i Do not remeber now but it will show you the Dynamic ARP instead of static (you have not configured any ARPS manually so thats why you do not see anything)

     

    //Rickard

  • In reply to RickardNordahl:

    The rule you created have the WAN zone as destination, remove that and it will work again.

    Muppet! ok done and ok now >>>Insert Facepalm Here<<< 

    Under diagnostics remove the Interface and let it in automatic so the firwall itsef can see if it can find the correct network using the routing table. And try to ping again.

    Yes, that works

    But still not from the LAN Port

     

    When it comes to ARP table (You are in the correct place) in the drop down list you have an option that i Do not remeber now but it will show you the Dynamic ARP instead of static (you have not configured any ARPS manually so thats why you do not see anything)

     

    Ok, so it is showing as incomplete? I understand why it would not show on Port2 (not sure why Port2 is even listed here being the wan port)

  • In reply to Martyn Campbell:

    Good.

     

    So the server is NOT located in the LAN zone at all, it is located in the VPN zone and connected to Port4. 

     

    The arp cache shows Complete/dynamic on port4 that means that the server is located there. And in this case it is the VPN zone.

     

    Can you post a screenshot of your zones that you have?

     

    And try to create a rule source zone LAN (If this is where your computer is located) Source network ANY, Dest Zone: VPN : dest network Any. Protocol all and enable logging on it. Place the rule on top of the rule base.

     

    The incomplete messages in the ARP table is that you tried to ping the server using the interface drop down list in the firewall,  thats why it shows on all the ports.

    //Rickard