Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 19 replies
  • Subscribers 39 subscribers
  • Views 4264 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with my VLANs

Rodney Altamera

Hi to All Sophos Gurus,

 

Good day.

I have been fixing my vlan routing in my Sophos XG 210 Firewall. I created different gateways for each VLANs. Below are the details.

VLAN10 :

IP = 192.168.10.0/24

DG = 192.168.10.254

ISP1

 

VLAN20 :

IP = 192.168.20.0/24

DG = 192.168.20.254

ISP2

 

VLAN30 (Wireless) :

IP = 192.168.30.0/24

DG = 192.168.30.254

ISP3

 

I have all my servers on VLAN10. I wanted to share my fileservers in VLAN10 to all other VLANs. I already created a firewall rule in my SOPHOS. The problem I cannot access my fileservers. Did I do something wrong. Someone might be able to help me. Below is a screenshot of my network diagram and firewall policies LAN to LAN.

Network Diagram

Firewall VLAN to VLAN Policy.

If anyone can give me an idea it would be great! 

 

Thanks

 

Rodney



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Could you please add a static route for the VLANs added in the Sophos Firewall XG?

    To add a static route

    Routing >> IPv4 unicast route >> Add >> Destination IP (VLAN Network) >> Gateway >> IP of the switch >> Interface through which the traffic will come to XG from that VLAN

    Please also remove the Source and Destination network and apply ANY and try to access the fileserver.

    You may also try to ping fileserver from any VLAN machine and take packet capture to see if the traffic is coming to the firewall or not, It might be served by the switch as layer 2 communication if the switch has details of the connected host, for packet capture- https://community.sophos.com/kb/en-us/123189

    Hope this helps!

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi Keyur,

     

    Thanks for sharing your technical expertise regarding this matter. I'll check this by next week once I am in office and get back to you.

     

    Cheers!

     

    Rodney

  • 0 in reply to lferrara

    Hi Iferrara,

    I tried to do drop-packet-capture but nothing shows.

    Thanks

     

    rodneyaltam

  • 0 in reply to Rodney Altamera

    Rodney,

    make sure to put twice the ' or "".

    For example

    drop-packet-capture "host 192.168.0.8"

  • 0 in reply to Rodney Altamera

    HI Iferrara,

    I tried tcpdump. Below are the results.

    console> tcpdump "src host 192.168.50.144"
    tcpdump: Starting Packet Dump
    23:42:48.159498 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:49.250743 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:49.250747 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:51.169958 Port7, IN: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [S ], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:51.169963 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:52.248573 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:42:52.248578 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:42:56.938009 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:1 8) tell 192.168.50.144, length 46
    23:42:57.173524 Port7, IN: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [S ], seq 1292933633, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:57.173529 Port3, OUT: IP 192.168.50.144.51858 > 192.168.20.16.445: Flags [ S], seq 1292933633, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:58.260471 Port7, IN: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [S ], seq 2168678664, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:42:58.260477 Port3, OUT: IP 192.168.50.144.51859 > 192.168.20.16.139: Flags [ S], seq 2168678664, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:00.136722 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:00.136732 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:01.235708 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:01.235712 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:03.148888 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:03.148894 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:04.231340 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:04.231346 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le ngth 0
    23:43:08.927749 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:1 8) tell 192.168.50.144, length 46
    23:43:09.159130 Port7, IN: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [S ], seq 3152958056, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:09.159137 Port3, OUT: IP 192.168.50.144.51860 > 192.168.20.17.445: Flags [ S], seq 3152958056, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.240202 Port7, IN: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [S ], seq 1335666891, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.240210 Port3, OUT: IP 192.168.50.144.51861 > 192.168.20.17.139: Flags [ S], seq 1335666891, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:10.270739 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; UNICAST
    23:43:10.270745 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; UNICAST
    23:43:11.779079 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:11.779086 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:13.295169 Port7, IN: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:13.295174 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.16.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:14.196355 Port7, IN: IP 192.168.50.144.54071 > 8.8.4.4.53: 39616+ A? dns.m sftncsi.com. (34)
    23:43:14.220554 Port7, IN: IP 192.168.50.144.54071 > 8.8.8.8.53: 39616+ A? dns.m sftncsi.com. (34)
    23:43:14.829257 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:14.829275 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S ], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:14.829276 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:14.829277 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S ], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:14.829278 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt h 0
    23:43:14.829279 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S ], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:16.063267 Port7, IN: IP 192.168.50.144.51857 > 139.99.69.89.80: Flags [.], ack 1752306069, win 255, length 1
    23:43:17.831477 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:17.831481 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S ], seq 3245713553, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:17.831482 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:17.831483 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S ], seq 3057674689, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len gth 0
    23:43:17.831484 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt h 0
    23:43:17.831485 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S ], seq 799320266, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], leng th 0
    23:43:22.241241 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PA CKET(137): QUERY; REQUEST; UNICAST
    23:43:22.241246 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP P ACKET(137): QUERY; REQUEST; UNICAST
    23:43:23.754653 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PA CKET(137): QUERY; REQUEST; BROADCAST
    23:43:23.754658 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP P ACKET(137): QUERY; REQUEST; BROADCAST
    23:43:23.834851 Port7, IN: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S], seq 799320266, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834855 Port3, OUT: IP 192.168.50.144.51864 > 192.168.20.16.80: Flags [S], seq 799320266, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834856 Port7, IN: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S], seq 3057674689, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834857 Port3, OUT: IP 192.168.50.144.51865 > 192.168.20.16.80: Flags [S], seq 3057674689, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834858 Port7, IN: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S], seq 3245713553, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:23.834859 Port3, OUT: IP 192.168.50.144.51863 > 192.168.20.16.80: Flags [S], seq 3245713553, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    23:43:25.266225 Port7, IN: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    23:43:25.266230 Port3, OUT: IP 192.168.50.144.137 > 192.168.20.17.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    23:43:26.792446 Port7, IN: IP 192.168.50.144.51867 > 192.168.20.17.80: Flags [S], seq 141256322, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    23:43:26.792452 Port3, OUT: IP 192.168.50.144.51867 > 192.168.20.17.80: Flags [S], seq 141256322, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    23:43:26.929446 Port7, IN: ARP, Request who-has 192.168.50.254 (00:1a:8c:5c:d7:18) tell 192.168.50.144, length 46
    ^C
    61 packets captured
    64 packets received by filter
    0 packets dropped by kernel
    console>

     

    Thanks

    rodneyaltam

  • 0 in reply to Rodney Altamera

    Rodney,

    192.168.50.144.51858 tries to reach 192.168.20.16. on port 445, but it never receives a reply. Is Windows Firewall enabled on the server side?

    Are you able to ping the machine?

  • 0 in reply to lferrara

    Hi Iferrara,

    I cannot ping the 192.168.20.16 and .17. Both are fileservers. I also cannot access the folders. Below is my setup

    VLAN10 = 192.168.10.0/24 - Port 1

                    DG = 192.168.1.254

    VLAN20 = 192.168.20.0/24 - Port 3

                    DG = 192.168.20.254

    VLAN30 = 192.168.30.0/24 - Port 5

                    DG = 192.168.30.254

    VLAN50 = 192.168.50.0/24 - Port 7 (Wireless-LAN)

                    DG = 192.168.50.254

    Below is my static routes. 

    Is this correct?

     

    Thanks

    rodneyaltam

  • 0 in reply to Rodney Altamera

    Rodney, if you want I can check your XG. Send me a pm

  • 0 in reply to Rodney Altamera

    Rodney,

    vlans interfaces are created on XG or on the switch side?

    If they are created on XG, you do not need any static routes. If they are created on the switch, you need a static route for each side that points on the xg port that is connected between xg and the switch.

  • 0 in reply to lferrara

    Hi Iferrara,

     

    This is noted. I'll pm you.

     

    Thanks

     

    rodneyaltam

  • +1 in reply to Rodney Altamera

    The problem was Firewall enabled on unifi Access Point which was blocking traffic for wi-fi network.

  • 0 in reply to lferrara

    Hi Iferrara,

     

    Thanks for your support. I really appreciate this.

     

    rodneyaltam

Reply Children
No Data
Unfiltered HTML