Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hi,
I have just installed this morning coming from pfSense and have connected to the internet but require my LAN & WiFi Ports to see each other.
I have configured the zone to zone firewall rule to any from any but it is not working?
Wife & Kids are going mad as we are in lockdown :-(
Massive thanks to any help in advance!
Hi,
First of all, Uncheck "Match Known Users", unless you have an Authentication Server such as AD or created Clientless Users on XG there's no need to have it checked.
If you have Match Known Users enabled, the rule will only apply to authenticated users found by XG.
Second; Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.
Use the Correct Zone and Networks for the rules creations.
Here's an example:
Thanks,
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v21 EAP @ Home
Sophos ZTNA (KVM) @ Home
Just noticed though, even though my two LANS are now talking to each other, why would I be getting all this blocked traffic?
Hi,
I thought I had resolved this but unfortunately I haven't, only a partial success.
I have 3 LAN interfaces
DHCP is running for all 3 devices subnet ranges.
You can also see that the devices are in the lease table but I am unable to ping them
yet even though in the screenshot above I cannot ping (anything) one example is 192.168.2.50 A Windows Backup Server that is connected, up & running & on the internet as well I have also connected to it from 192.168.0.3 via local remote desktop and as you can see from this screenshot I am unable to ping the device that is remote controlling it either but I can ping the sophos gateway.
I have also created ip-range source & destination zones, so well covered there.
Any input greatly appreciated!
Thank you so much for taking the time to reply!
First, I would enable logging on the rule to see what is happening to the traffic.
I have enabled logging, but cannot even see any entries to the IP I am pinging in the log viewer? when logging is enabled does it write to here?
Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.
I had that originally and was advised against it by Prism
Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.
And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?
I can only presume it is as if I shut down my Sophos VM and go back to my old PfSense VM everything can see everything
So I wold do a rule Source zone: Lan or the name of the zone(were you computer is located) source network Any, Dest Zone: Name of the zone where the server are, source network. Any Protocol Any. And place it on top of the rule base. Enable loging.
Ok, If I do what you say (pictured below) I lose internet connection so I have disabled this rule for now.
What you could try as well is under diagnostics in the firewall try to ping the server is question to se if that works. If not look att the ARP table in the firewall as see if you can find the MAC address of the server. And check that the Default GW for the server is set to the XG.
Ok, this just proves my issue
I cannot find this ARP table you mention? this is all I can find that relates to ARP
Here are all my rules just in case you can see something else wrong?
Thanks again for your time!
The rule you created have the WAN zone as destination, remove that and it will work again.
Muppet! ok done and ok now >>>Insert Facepalm Here<<<
Under diagnostics remove the Interface and let it in automatic so the firwall itsef can see if it can find the correct network using the routing table. And try to ping again.
Yes, that works
But still not from the LAN Port
When it comes to ARP table (You are in the correct place) in the drop down list you have an option that i Do not remeber now but it will show you the Dynamic ARP instead of static (you have not configured any ARPS manually so thats why you do not see anything)
Ok, so it is showing as incomplete? I understand why it would not show on Port2 (not sure why Port2 is even listed here being the wan port)
So the server is NOT located in the LAN zone at all, it is located in the VPN zone and connected to Port4.
Just to confirm when you say server do you mean my Windows Backup Server I mentioned? because that is all 192.168.2.50 is, it is just a rackmount with windows server on it, doing nothing, I am just using it to help try and resolve these issues.
The arp cache shows Complete/dynamic on port4 that means that the server is located there. And in this case it is the VPN zone.
Can you post a screenshot of your zones that you have?
Just to clarify,
LAN=Most of the network, desktop PC, TV's etc
UniFi=All my wireless devices
VPN= This will eventually become a VPN port but just trying to get it working first, I have just put a redundant PC on this interface for testing.
And try to create a rule source zone LAN (If this is where your computer is located) Source network ANY, Dest Zone: VPN : dest network Any. Protocall all and enable logging on it. Place the rule on top of the rule base.
I still cannot ping from LAN (Port1)
The strange thing here is that you see the ARP on all the interfaces, thats off. Is the PFsence still online and running?
If so turn it off if that is possible.
PfSense has been off for about 3 days, I have only ever had PfSense OR Sophos running, never together.
