Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

Unable to access TP Link wireless router admin across zones.

I’m unable to access my wireless router administration page from a different zone.  What settings are required to allow access?

This is what I have setup so far on my Sophos XG Firewall.

Interface 1

Interface 3

The two zones are LAN (default) and Wireless (one that I created).

Wireless Zone

I’ve created a firewall rule to allow communication between the zones.

Firewall Rule

When I ping the gateway from a workstation connected to a switch from port 0, I receive a response.

When I attempt to ping my wireless router, it fails.

When I attempt to access the wireless router admin page from a workstation from the Lan zone, I receive the following error.

When I attempt to access the wireless router admin page from a device on the Wireless zone, it works.

 

Any assistance is greatly appreciated.

  • Firewall Rule 6 indicates, that there is simply no traffic in this direction.

    Is the XG the DHCP Server for this wireless network? 

    Can XG itself ping the Wireless router? 

  • In reply to LuCar Toni:

    Hi,

     

    The XG is the DHCP server...  When I ping the wireless router from the same port it responds.

    If I ping the router from the port that's connected to my computer it fails.

     

  • In reply to ChristopherHaugh:

    Sounds to  me like your AP is not setup to accept connections from other networks.

    Ian

  • In reply to rfcat_vk:

    Is that an easy fix?

  • In reply to ChristopherHaugh:

    I expect so, but I don't know what your AP is. Have a look at the AP admin page, there might be a setting to allow remote access or something similar.

    Ian

  • If your AP doesn't like IP addresses from a different network trying to access its management portal a quick and dirty way of fixing it is to use Masquerading to change the source address of the client to one on the same subnet as the AP. I done this a few times to get round this sort of thing and also the odd occasion the device is missing (or has the wrong) gateway set on it.

  • First of all, is it a router or a modem-router that you bridged to use it as a router?

    If it's a modem router and you connected the sfos to one of the lan interfaces on the router, you can't do it.

    If it's a router and you connected the sfos to the wan interface of the router, first check if access from wan interface in the TP-Link is allowed.

    As the previous one replied you could do it dirty with a dnat rule with masq

    Or a unicast rule?

  • In reply to Panagiotis Vakerlis:

    I ended up upgrading my TP Link to an access point, however I was still unable to access the ap from a different subnet.  As a temporary solution, I put everything on the LAN zone and plugged my wifi into my switch.  When I have more time,  i'll try to revisit it.  :(

    It shouldn't be this difficult to allow a device to talk to another device on a different zone/subnet.  Would love an "easy" button for this. 

     

    Sophos XG 1, me 0

  • In reply to ChristopherHaugh:

    last time I checked there is a setting on the tp link that doesn't allow access to the device if outside of its subnet... you can turn it off but it is a setting on the tp link.

    I haven't got access to one right now but i can see if I can get access to it again to find the setting.

    id suggest looking at the admin access page to start with on the tp link.

  • In reply to ChristopherHaugh:

    Hi Christopher,

    this is not an XG issue but a TPlink device issue.

    I have 4 networks at home, IoT, VoIP, switches and users.

    I have firewall rules that allow me to access the switches and VoIP equipment which are on different network /24 each from the user network.

    You need to review all the menus in the TP-link device to find out which one is blocking your access or post the details of the model so the forum members can provide an alternate eye.

    Ian

  • In reply to ChristopherHaugh:

    I've just taken a look and there is a setting "Allow remote access" under Network/LAN on the TP Link Device, just needs to be ticked.

     

    Nick