Issue with my VLANs

Hi to All Sophos Gurus,

 

Good day.

I have been fixing my vlan routing in my Sophos XG 210 Firewall. I created different gateways for each VLANs. Below are the details.

VLAN10 :

IP = 192.168.10.0/24

DG = 192.168.10.254

ISP1

 

VLAN20 :

IP = 192.168.20.0/24

DG = 192.168.20.254

ISP2

 

VLAN30 (Wireless) :

IP = 192.168.30.0/24

DG = 192.168.30.254

ISP3

 

I have all my servers on VLAN10. I wanted to share my fileservers in VLAN10 to all other VLANs. I already created a firewall rule in my SOPHOS. The problem I cannot access my fileservers. Did I do something wrong. Someone might be able to help me. Below is a screenshot of my network diagram and firewall policies LAN to LAN.

Network Diagram

Firewall VLAN to VLAN Policy.

If anyone can give me an idea it would be great! 

 

Thanks

 

Rodney

  • Hi  

    Could you please add a static route for the VLANs added in the Sophos Firewall XG?

    To add a static route

    Routing >> IPv4 unicast route >> Add >> Destination IP (VLAN Network) >> Gateway >> IP of the switch >> Interface through which the traffic will come to XG from that VLAN

    Please also remove the Source and Destination network and apply ANY and try to access the fileserver.

    You may also try to ping fileserver from any VLAN machine and take packet capture to see if the traffic is coming to the firewall or not, It might be served by the switch as layer 2 communication if the switch has details of the connected host, for packet capture- https://community.sophos.com/kb/en-us/123189

    Hope this helps!

  • Rodney,

    where did you create the VLAN?

    Is the routing enabled on the Switch?

    How did you create the VLAN on the switch?

    Please share the configuration.

    Regards

  • In reply to lferrara:

    Hi Iferrara,

     

    I created the vlan on sophos since the switch does not support L3. It is only a L2 switch. So what I am planning is making the sophos handle the L3 routing. I created vlan on the switch using the GUI. I am using HP switches. 

    My vlans are just working fine. The problem I am facing is all vlans cannot access the fileserver on vlan10.

     

    Thanks

  • In reply to Keyur:

    Hi Keyur,

     

    Thanks for sharing your technical expertise regarding this matter. I'll check this by next week once I am in office and get back to you.

     

    Cheers!

     

    Rodney

  • In reply to Rodney Altamera:

    Hi  

    Sure, please reach out to us for further assistance.

  • In reply to Keyur:

    HI Keyur,

    I have an issue with my vlan, the settings is not working. Below is the screenshot of the captured packets

    I am confused as to why it is blocking my access to vlan20 from vlan50.

     

    Thanks

     

    rodneyaltam

  • In reply to Rodney Altamera:

    VLAN 50 is not in the firewall rules (based on the screenshots).

    Do you see something from XG console:

    drop-packet-capture "host x.x.x.x" where x.x.x.x is the source or destination ip?

  • In reply to lferrara:

    HI Iferrara,

    Good day. Below is the updated policy.

     

    Thanks 

     

    rodneyaltam

  • In reply to lferrara:

    Hi Iferrara,

    I tried to do drop-packet-capture but nothing shows.

    Thanks

     

    rodneyaltam

  • In reply to Rodney Altamera:

    Rodney,

    make sure to put twice the ' or "".

    For example

    drop-packet-capture "host 192.168.0.8"

  • In reply to Rodney Altamera:

    HI Iferrara,

    I tried tcpdump. Below are the results.

    console> tcpdump "src host 192.168.50.144"
    tcpdump: Starting Packet Dump
    23:42:48.159498 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:49.250743 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:49.250747 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:51.169958 Port7, IN: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [S ], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:51.169963 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:52.248573 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:52.248578 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:56.938009 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:1 8) tell 192.168.50.144, length 46
    23:42:57.173524 Port7, IN: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [S ], seq 1292933633, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:57.173529 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:58.260471 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:58.260477 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:00.136722 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:00.136732 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:01.235708 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:01.235712 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:03.148888 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:03.148894 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:04.231340 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:04.231346 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:08.927749 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:1 8) tell 192.168.50.144, length 46
    23:43:09.159130 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:09.159137 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.240202 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.240210 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.270739 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; UNICAST
    23:43:10.270745 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; UNICAST
    23:43:11.779079 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:11.779086 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:13.295169 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:13.295174 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:14.196355 Port7, IN: IP 192.168.50.144.54071 > 8.8.4.4.53: 39616+ A? dns.m sftncsi.com. (34)
    23:43:14.220554 Port7, IN: IP 192.168.50.144.54071 > 8.8.8.8.53: 39616+ A? dns.m sftncsi.com. (34)
    23:43:14.829257 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags Sleep, seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:14.829275 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S ], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:14.829276 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags Sleep, seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:14.829277 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S ], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:14.829278 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags Sleep, seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt h 0
    23:43:14.829279 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S ], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:16.063267 Port7, IN: IP 192.168.50.144.51857 > 139.99.69.89.80: Flags [.], ack 1752306069, win 255, length 1
    23:43:17.831477 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags Sleep, seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:17.831481 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S ], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:17.831482 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags Sleep, seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:17.831483 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S ], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:17.831484 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags Sleep, seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt h 0
    23:43:17.831485 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S ], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:22.241241 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PA CKET(137): QUERY; REQUEST; UNICAST
    23:43:22.241246 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP P ACKET(137): QUERY; REQUEST; UNICAST
    23:43:23.754653 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:23.754658 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:23.834851 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags Sleep, seq 799320266, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834855 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags Sleep, seq 799320266, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834856 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags Sleep, seq 3057674689, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834857 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags Sleep, seq 3057674689, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834858 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags Sleep, seq 3245713553, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834859 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags Sleep, seq 3245713553, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:25.266225 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    23:43:25.266230 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    23:43:26.792446 Port7, IN: IP 192.168.50.144.51867 > 192.168.20.17.80: Flags Sleep, seq 141256322, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    23:43:26.792452 Port3, OUT: IP 192.168.50.144.51867 > 192.168.20.17.80: Flags Sleep, seq 141256322, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    23:43:26.929446 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:18) tell 192.168.50.144, length 46
    ^C
    61 packets captured
    64 packets received by filter
    0 packets dropped by kernel
    console>

     

    Thanks

    rodneyaltam

  • In reply to Rodney Altamera:

    Rodney,

    192.168.50.144.51858 tries to reach 192.168.20.16. on port 445, but it never receives a reply. Is Windows Firewall enabled on the server side?

    Are you able to ping the machine?

  • In reply to lferrara:

    Hi Iferrara,

    I cannot ping the 192.168.20.16 and .17. Both are fileservers. I also cannot access the folders. Below is my setup

    VLAN10 = 192.168.10.0/24 - Port 1

                    DG = 192.168.1.254

    VLAN20 = 192.168.20.0/24 - Port 3

                    DG = 192.168.20.254

    VLAN30 = 192.168.30.0/24 - Port 5

                    DG = 192.168.30.254

    VLAN50 = 192.168.50.0/24 - Port 7 (Wireless-LAN)

                    DG = 192.168.50.254

    Below is my static routes. 

    Is this correct?

     

    Thanks

    rodneyaltam

  • In reply to Rodney Altamera:

    Rodney, if you want I can check your XG. Send me a pm