New User Urgent Help With Zone To Zone Required Please

Hi,

 

I have just installed this morning coming from pfSense and have connected to the internet but require my LAN & WiFi Ports to see each other.

 

I have configured the zone to zone firewall rule to any from any but it is not working?

 

Wife & Kids are going mad as we are in lockdown :-(

 

Massive thanks to any help in advance!

 

  • In reply to RickardNordahl:

    So the server is NOT located in the LAN zone at all, it is located in the VPN zone and connected to Port4. 

    Just to confirm when you say server do you mean my Windows Backup Server I mentioned? because that is all 192.168.2.50 is, it is just a rackmount with windows server on it, doing nothing, I am just using it to help try and resolve these issues.

     

    The arp cache shows Complete/dynamic on port4 that means that the server is located there. And in this case it is the VPN zone.

    Can you post a screenshot of your zones that you have?

    Just to clarify, 

    LAN=Most of the network, desktop PC, TV's etc

    UniFi=All my wireless devices

    VPN= This will eventually become a VPN port but just trying to get it working first, I have just put a redundant PC on this interface for testing.

    And try to create a rule source zone LAN (If this is where your computer is located) Source network ANY, Dest Zone: VPN : dest network Any. Protocall all and enable logging on it. Place the rule on top of the rule base.

      

    I still cannot ping from LAN (Port1)

    The strange thing here is that you see the ARP on all the interfaces, thats off. Is the PFsence still online and running?

    If so turn it off if that is possible.

    PfSense has been off for about 3 days, I have only ever had PfSense OR Sophos running, never together.

  • In reply to Martyn Campbell:

    Ok I now understand.

     

    So the VPN zone in the firewall is made for what it says VPN Like Site to Site IPsec, SSL VPN and so on, it is not ment to be used as you are using it. So lets try this.

     

    Create a new zone, name it what you like and move the port to that zone and then create a rule that match the same as before but dest zone should be the one you created instead.

     

    And then try again. Or you can move the server to the UnFi Zone, change the IP of the server and then see if you can acccess it

     

    You should not use the VPN zone for anything more then VPN that Terminates in the Firewall it self.

     

  • In reply to RickardNordahl:

    ok, so before I came over to PfSense this was one of my prerequisites, I asked the question here

    https://community.sophos.com/products/xg-firewall/f/initial-setup/119441/question-about-coming-from-pfsense-to-sophos

    So I would like to have 

    Port1 - LAN

    Port2 - WAN

    Port3 - Wifi

    Port4 - VPN to run some dockers, devices, VM's etc BUT Must have access to other subnets.  i.e. I want to run dockers,devices behind a VPN (Currently Port4) but be able to access the apps/devices running on them from my Desktop PC on the Lan Port (Port1) so is this not possible?

     

    So the VPN zone in the firewall is made for what it says VPN Like Site to Site IPsec, SSL VPN and so on, it is not ment to be used as you are using it. So lets try this.

    Create a new zone, name it what you like and move the port to that zone and then create a rule that match the same as before but dest zone should be the one you created instead.

    And then try again. Or you can move the server to the UnFi Zone, change the IP of the server and then see if you can acccess it

    Is it neccassary to do all this when I also have exactly the same issue on my UniFi Port (Port3) 

     

     

     

     

  • In reply to Martyn Campbell:

    But do you really have problems on the UnFi Port ? Since the Access points are connected to the controller and working. 

     

    The diagnostics tool can not really find the IP since you have a port specified. If you leave it to default, will be able to ping the destination IP then?

     

    If that works, you have a policy tester in the diagnostics section as well, and there you can fill in Source IP and destination IP (never mind protocols in there) and you will see what rule you hit and if it is allowed or denied.

     

    //Rickard

  • In reply to RickardNordahl:

    But do you really have problems on the UnFi Port ? Since the Access points are connected to the controller and working. 

    Just to confirm I do not have a USG (is that what you mean by controller?) they are just access points connected via a poe switch 

     

    The diagnostics tool can not really find the IP since you have a port specified. If you leave it to default, will be able to ping the destination IP then?

    yes I can ping if I do not specify a port

     

    If that works, you have a policy tester in the diagnostics section as well, and there you can fill in Source IP and destination IP (never mind protocols in there) and you will see what rule you hit and if it is allowed or denied.

    ok, so I can see that I can connect to devices etc maybe there is no problem as such? but definitely some kind of restriction?

    what has been throwing me is several things,

    1, I am unable to ping from lan to any other port (within Sophos Diags)

    2, I have been unable to connect to my nextcloud locally since installing Sophos (I have to setup a hotspot on my phone and connect remotely to my local server!)

    3, I have a wireless range extender for my video doorbell on the UniFi port (192.168.1.42) I have been unable to connect to it since installing Sophos but yet I can ping it from my Windows Desktop (192.168.0.3)

    4, I cannot connect to the doorbell itself (192.168.1.27) since installing Sophos

    5, I can connect to my managed switch (192.168.0.1) and one of my unraid servers (192.168.0.44) from the test machine on the VPN network (192.168.2.50) but yet I cannot connect to anything else like my other unraid server (192.168.0.33) or any of my other devices.  So I hope you can understand why I still feel there is an issue, why can I connect to some devices and not others? why do ping results come up mostly empty on Angry IP Scanner? I have always used angry-ip scanner and it has always shown me what is connected on any one my subnets, now it shows nothing other than 192.168.1.10

    Basically, if I stop the Sophos VM, load the PfSense VM I can do all of the things mentioned above so something somewhere is stopping (in my mind) basic network traffic and I can find no way around it?

     

     

     

     

     

  • In reply to Martyn Campbell:

    Ok this sounds wired. 

     

    Are you using the same default GW on all the interfaces that the PFsence did have?

    And you should really try out the Policy tester to see what is blocking the traffic. Open the logging window, and on the upper right side klick the "Policy tester" and run a test from there to see if you hit the right firewall rule.

     

    Usualy this is "just working".

     

    //Rickard

  • In reply to RickardNordahl:

    Hi!

    Thanks for your reply!

    I have spent some time on this today and  spent ages with me and resolved/tidied up my installation,got my nextcloud working locally, generally a massive help!

    He cut down my rules list and today I removed Port 4 so I now have

    Port1 LAN - 192.168.0.*

    Port2 WAN

    Port3 LAN - 192.168.1.*

     

    Whilst this is now mostly working I have some IP's on Port3 that I cannot access from Port1 If I can see how to fix one, I should be fine to fix the rest so here is one example

    my unraid server has 3 connections (not that I think this is important)

    eth0 LAN - 192.168.0.33

    eth1 LAN - 192.168.1.33

    eth2 LAN (10Gbe) - 192.168.11.33

    There is a docker running 0n eth1 with an address of 192.168.1.38, I can access the web-ui from a device connected on Port3 but not from Port1 even though the firewall says it is allowed from Port1