Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup XG Home with Eero DCHP

Hello, I've been looking for answer for a few days and the reading has been educational, but not a solution for my issue and I hope you can help move me toward a working firewall.

I am setting up XG Home on an old PC (i5-2400 if I recall correctly).  It has a build in NIC (Intel model) and I installed an Intel Pro/1000 dual port server adapter.  I want the firewall between the Arris cable modem and my Gateway Eero.  I want Eero to control DCHP so I get the full features of Eero.  Eero uses 192.168.7.1 as the default gateway address.  Cable One assign me an IP address from what seems to be any random server with an opening at the time (https://tools.tracemyip.org/search--isp/cable+one)

I can run the setup wizard via 172.16.16.16.4444 when I am connected by ethernet to Port 1 (original PC NIC) while cable modem is connected to Port 2 (NIC on the Intel Pro NIC) but from there I am lost.  I set the firewall in bridge mode hoping the gateway Eero will manage the IP connections as they change over time.  But the wizard sets the bridge address to whatever the cable modem IP is at the time and I can't change that in the wizard.  Then when the wizard is finished, I have no access to the firewall web maintenance app <bridge ip>:4444 . I tried with monitor and keyboard connected to my firewall pc to change the network to the default Eero gateway (192.168.7.1) but I still can't access 192.168.7.1:4444 after that. I even went so far as to try console > system appliance_access enable , then access the XG via https://192.168.7.1:4444 . But I still couldn't access the firewall maintenance app.

So I think its clear I'm not managing the the IPs right or using the right one to access the firewall.  Can you help me sort this out?

Much obliged.



This thread was automatically locked due to age.
Parents
  • Using the console setup the 3rd port as your maintenance access port, then try again.

    Were you able to set your XG password which can only be done from the GUI?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the tip Ian.  But not quite sure how to setup the maintenance access port.   I don't know where to start.  Sorry, I'm still a bit of a rock on firewalls (but I am looking for an answer on the boards)

    I was able to set password in the 172.16.16.16:4444 setup wizard.  But after it reboots, I lose all access.

    I set the time as close to right as I could get.  I notice this PC clock is fast.  It gains about a minute a day.

    There is plenty of traffic I found.  Using Advanced Shell: tcpdump -ni Port1, about 25 packets per second reading something like:

    Out: ARP. Request who has 24.116.170.219 tell 24.116.170.1

    Out: ARP. Request who has 184.155.157.246 tell 184.155.17.1

    Out: ARP. Request who has 173.207.37.119 tell 173.207.37.1

  • Hi,

    it is not a maintenance access port, just another LAN port which is not in the bridge. Setting ups LAN port that is not in a bridge is also recommended to provide access to your XG.

    You already have access to the console, so you must be able to login to the XG. 

    My mistake, you cannot setup a new LAN port via the console, probably can just I do not know the cli commands to achieve this.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ok.  i had the right general idea but sloppy wording.  I also do not know the command to set up a LAN port that is not in a bridge.  I found <discover mode> in the cli command reference and this discover mode article.  Do you think these are on the way to being the solution?  I can't do it exactly like what is discussed in the discover mode article because I don't have a managed switch.  And discovery isn't what we are after, but maybe the discover mode article help a little anyway?

    It says in part...

    1. Connect and Access the SF
    1. Connect one end of the straight-through cable into Port A of the SF and the other end into the Ethernet Adapter port of the Network Switch.
    2. Change the IP address of the LAN computer (Configuring Computer) from which you want to access the SF to 172.16.16.2 and the subnet mask to 255.255.255.0.
    3. In the Configuring Computer, open a web browser and browse to https://172.16.16.16:4444.
    4. Log in to the Admin Console using the default username "admin" and password "admin".

     

    I think these ip addresses are wrong for me in bridge mode but does it trigger any interesting thoughts for you or am I on a wild goose chase?

     

  • Hi,

    to me that all looks too hard.

    Suggestion, re-install the XG software but in route mode, then build a bridge. That will give you admin access and control.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I got into the xg web interface with the orange box here.  I assigned a static ip of 192.168.7.250 for Port3.  CLI confirmed it.  But 192.168.7.250:4444 did not give the xg web interface with direct cable from laptop to Port3.

    Tomorrow I will DCHP setup as you suggest.  

Reply
  • I got into the xg web interface with the orange box here.  I assigned a static ip of 192.168.7.250 for Port3.  CLI confirmed it.  But 192.168.7.250:4444 did not give the xg web interface with direct cable from laptop to Port3.

    Tomorrow I will DCHP setup as you suggest.  

Children
  • Well, going with a DCHP set up made it easy to get online.  And surprisingly the Eero wifi worked without any changes.  Wired devices in the eero app show eero's ip range, 192.168.7.xxx.  XG appliance shows only my laptop and the eero as devices.  This is not ideal of course as there are 50 devices on eero.  If I bridge xg to eero, I hope xg would be able to better log and control eero traffic.  

    I tried to build a bridge wound up have to reset the appliance.  Port 2 now has DHCP Gateway with ip 184.155.143.1.  Eero has 192.168.7.1 as gateway.  I don't know how to bridge these together.  

    I also set Port 3 to static 172.16.16.10, but I can't do anything with the sophos web app when connected to it.

    Is there a networking basics overview you would recommend a newbie read or is just hunting for specific answer better.

    Thanks. 

     

  • Hi,

    you would log into the web page with https://172.16.16.16.10:4444 that should give you access to the GUI and tabs. This of course will depend on you having defined it as a LAN type otherwise you will have to login to the ADMIN page on your other access and give the port 3 access.

     

    If you want the XG to control anything the device has to be on the LAN side of the XG not the WAN side.

    You create a bridge on the networks tab of the GUI and part of the configuration is to select which interfaces at add to the bridge.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I was able to login to 172.16.16.10:4444 on a fresh Chrome tab.  Guess there was a cache error earlier.  Thanks for the push to try again.

    When I attempted a bridge earlier, I tried Port1 (LAN) to Port 2 (WAN).  I have to give interface IP4 and Gateway IP.  I tried earlier to reserve IP 192.168.7.250 static for IP4 interface and 198.168.7.1 as Gateway IP.  This gateway IP is aways used by eero.  When I did this earlier, I got locked out of the appliance and had to reset.   I thought briefly maybe it should be the Arris cable modem Gateway IP, but this is DCHP and changes (currently 184.155.143.xxx WAN IP and 184.155.143.1 WAN Gateway I think) but IP4 for the interface has to be on same network as gateway and I don't think I can use a public domain like 184.155.143.xxx can I?

    BTW, the eero is on the lan side of the XG.  It has a DCHP of 172.16.16.xx in XG currently.

  • Let us step back bit. What are you trying to achieve?

    1/. secure internet connection?

    2/. DHCP addressing managed by Eero?

    3/. Eero to provide WIFI access?

     

    If the above are your aims you do not need the XG in bridge mode, but routing mode.

    Assuming the Arris is in bridge mode, your XG will pickup the IP address allocated by your ISP, maybe with trying to put the Arris into bridge mode.

    Then you need to build some firewall rules, general until you get the hang of them then tighten them as you go.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yep, those are all three things I was after so it is a success by those criteria.  I just don't know enough to know if what was accomplished was the "right" way or if the bridge that would maybe give per device rule making capability is really easy to accomplish from where I am at today or if I am just making a simpleton's mistake.  It sounds like I am not making such a mistake so I will move on from here to learn firewall rule making and the like.  Thanks for your help.