Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG115 for WiFi Protection

Edvvde

Hi everyone,

 

I´ve a question regarding a XG 115 Appliance which should actually only work as a Wifi Protection. The XG is behind a managed switch (where the clients and APs are connected) which in turn is behind a router.

The XG has 4 eth ports 1 (LAN) 2 (WAN) 3 (DMZ) 4 (not labeled).

 

First my configuration was the following:

- Port 1 LAN -> connected to Switch / Router

- Port 2 WAN -> connected to Router / Switch

 

It was not possible for the APs to reach the XG.

 

I spend a few time to find out, that the only way the XG is noticing the APs was to change the configuration of the XG ports to:

- Port 1 WAN -> connected to Switch / Router

- Port 2 LAN  -> connected to Router / Switch

 

It looks like ir doesn´t matter how the ports are connected to switch or router.

 

I also tried what also was not functional:

- Port 2 WAN

- Port 4 LAN

 

I suspect I have a mistake.

Can anyone explain why the XG is only noticing APs when Port 2 (labeled as WAN) is manually configured to LAN? Thanks!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Edvvde,

    Those are just a labels for reference and you can move port around and configure them according to your requirement. When you say you configured Port2(Labeled as WAN) to LAN that worked but when used labeled LAN port it did not work, have you verified that you had the correct cables plugged in? 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

     

    thanks for your reply.

     

    Yes, while I was writing this post I tried the following again:

     

    - Port 1 (configured in XG as WAN) -> first connected to Router / connection changed to Switch

    - Port 2 (configured in XG as LAN) -> first connected to Switch / connection changed to Switch

     

    For the APs ist looks like it doesnt matter which cable is plugged in, the main is Port 2 is configured als LAN (I know that those are just labels for reference, that´s why I don´t understand). There must be some stupid mistake in thinking, but I idiot don´t get it ...

     
     
  • 0 in reply to Edvvde

    What I forgot:

     

    In this configuration everyhting is functional, the APs are reachable and the network connection ist functional, but the XG says in the control center there is a problem with the interface (but there is no problem, everything is fine) ...

     

    When the configuration is Port 1 (LAN) Port 2 (WAN) there is no red light, the interface status is green (but the APs are not reachable) ...

     

    I don´t get it -./

     

  • 0 in reply to Edvvde

    Hi  

    Thanks for Interface configuration details.

    Here the problem is with Interface Port1 and Port2 network configuration.

    Ideally we are not allow to configure 2 same network on 2 different Interface of Firewall ( Reason : It will create a problem of ARP conflict)

    Please change either WAN network or LAN network which ever is convenient and that will help you to make your gateway status up or green.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi ,

     

    thanks for reply. What exactly do you mean here?

     

    Vishal_R said:


    Please change either WAN network or LAN network

     

    And why the status turn to green after I changed Port 1 back to LAN and port 2 back to WAN (same IPs).

     

    Thanks!

  • +1 in reply to Edvvde

    Hi  

    Here Port 1 & 2 both are configured with 192.168.100.X/24 which is same network. This is not the ideal configuration and will create a problem as mentioned in last note.

    If you want to check and confirm more what problem it is creating when gateway status is RED and GREEN you may verify the gateway ARP status via below command.

    console> sy dia uti arp sh 192.168.100.254

    It should give result as in complete on correct Interface on which WAN router is next hope.

    If above is true, as in next step you may verify ARP PING to gateway IP and you may verify the packet request on gateway IP at the same time.

    a) ARP PING Command.

    console > sy dia uti arp ping interface PortX 192.168.100.254

    Where PortX must need to use WAN Interface on which WAN router or gateway will be next hope.

    b)TCPDUMP on gateway IP.

    console> tcpdump 'host 192.168.100.254 

    Result of a) & b) will give you more information by comparing it with result of gateway status GREEN and RED and will help you to understand how 2 same networks will create a problem of ARP conflict.  

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • +1 in reply to Edvvde

    Hi  

    Here Port 1 & 2 both are configured with 192.168.100.X/24 which is same network. This is not the ideal configuration and will create a problem as mentioned in last note.

    If you want to check and confirm more what problem it is creating when gateway status is RED and GREEN you may verify the gateway ARP status via below command.

    console> sy dia uti arp sh 192.168.100.254

    It should give result as in complete on correct Interface on which WAN router is next hope.

    If above is true, as in next step you may verify ARP PING to gateway IP and you may verify the packet request on gateway IP at the same time.

    a) ARP PING Command.

    console > sy dia uti arp ping interface PortX 192.168.100.254

    Where PortX must need to use WAN Interface on which WAN router or gateway will be next hope.

    b)TCPDUMP on gateway IP.

    console> tcpdump 'host 192.168.100.254 

    Result of a) & b) will give you more information by comparing it with result of gateway status GREEN and RED and will help you to understand how 2 same networks will create a problem of ARP conflict.  

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
No Data
Unfiltered HTML