Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hi,
I have just installed this morning coming from pfSense and have connected to the internet but require my LAN & WiFi Ports to see each other.
I have configured the zone to zone firewall rule to any from any but it is not working?
Wife & Kids are going mad as we are in lockdown :-(
Massive thanks to any help in advance!
Hi,
First of all, Uncheck "Match Known Users", unless you have an Authentication Server such as AD or created Clientless Users on XG there's no need to have it checked.
If you have Match Known Users enabled, the rule will only apply to authenticated users found by XG.
Second; Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.
Use the Correct Zone and Networks for the rules creations.
Here's an example:
Thanks,
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v21 EAP @ Home
Sophos ZTNA (KVM) @ Home
Just noticed though, even though my two LANS are now talking to each other, why would I be getting all this blocked traffic?
Hi,
I thought I had resolved this but unfortunately I haven't, only a partial success.
I have 3 LAN interfaces
DHCP is running for all 3 devices subnet ranges.
You can also see that the devices are in the lease table but I am unable to ping them
yet even though in the screenshot above I cannot ping (anything) one example is 192.168.2.50 A Windows Backup Server that is connected, up & running & on the internet as well I have also connected to it from 192.168.0.3 via local remote desktop and as you can see from this screenshot I am unable to ping the device that is remote controlling it either but I can ping the sophos gateway.
I have also created ip-range source & destination zones, so well covered there.
Any input greatly appreciated!
Thank you so much for taking the time to reply!
First, I would enable logging on the rule to see what is happening to the traffic.
I have enabled logging, but cannot even see any entries to the IP I am pinging in the log viewer? when logging is enabled does it write to here?
Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.
I had that originally and was advised against it by Prism
Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.
And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?
I can only presume it is as if I shut down my Sophos VM and go back to my old PfSense VM everything can see everything
So I wold do a rule Source zone: Lan or the name of the zone(were you computer is located) source network Any, Dest Zone: Name of the zone where the server are, source network. Any Protocol Any. And place it on top of the rule base. Enable loging.
Ok, If I do what you say (pictured below) I lose internet connection so I have disabled this rule for now.
What you could try as well is under diagnostics in the firewall try to ping the server is question to se if that works. If not look att the ARP table in the firewall as see if you can find the MAC address of the server. And check that the Default GW for the server is set to the XG.
Ok, this just proves my issue
I cannot find this ARP table you mention? this is all I can find that relates to ARP
Here are all my rules just in case you can see something else wrong?
Thanks again for your time!
The rule you created have the WAN zone as destination, remove that and it will work again.
Muppet! ok done and ok now >>>Insert Facepalm Here<<<
Under diagnostics remove the Interface and let it in automatic so the firwall itsef can see if it can find the correct network using the routing table. And try to ping again.
Yes, that works
But still not from the LAN Port
When it comes to ARP table (You are in the correct place) in the drop down list you have an option that i Do not remeber now but it will show you the Dynamic ARP instead of static (you have not configured any ARPS manually so thats why you do not see anything)
Ok, so it is showing as incomplete? I understand why it would not show on Port2 (not sure why Port2 is even listed here being the wan port)
So the server is NOT located in the LAN zone at all, it is located in the VPN zone and connected to Port4.
Just to confirm when you say server do you mean my Windows Backup Server I mentioned? because that is all 192.168.2.50 is, it is just a rackmount with windows server on it, doing nothing, I am just using it to help try and resolve these issues.
The arp cache shows Complete/dynamic on port4 that means that the server is located there. And in this case it is the VPN zone.
Can you post a screenshot of your zones that you have?
Just to clarify,
LAN=Most of the network, desktop PC, TV's etc
UniFi=All my wireless devices
VPN= This will eventually become a VPN port but just trying to get it working first, I have just put a redundant PC on this interface for testing.
And try to create a rule source zone LAN (If this is where your computer is located) Source network ANY, Dest Zone: VPN : dest network Any. Protocall all and enable logging on it. Place the rule on top of the rule base.
I still cannot ping from LAN (Port1)
The strange thing here is that you see the ARP on all the interfaces, thats off. Is the PFsence still online and running?
If so turn it off if that is possible.
PfSense has been off for about 3 days, I have only ever had PfSense OR Sophos running, never together.
ok, so before I came over to PfSense this was one of my prerequisites, I asked the question here
So I would like to have
Port1 - LAN
Port2 - WAN
Port3 - Wifi
Port4 - VPN to run some dockers, devices, VM's etc BUT Must have access to other subnets. i.e. I want to run dockers,devices behind a VPN (Currently Port4) but be able to access the apps/devices running on them from my Desktop PC on the Lan Port (Port1) so is this not possible?
So the VPN zone in the firewall is made for what it says VPN Like Site to Site IPsec, SSL VPN and so on, it is not ment to be used as you are using it. So lets try this.
Create a new zone, name it what you like and move the port to that zone and then create a rule that match the same as before but dest zone should be the one you created instead.
And then try again. Or you can move the server to the UnFi Zone, change the IP of the server and then see if you can acccess it
Is it neccassary to do all this when I also have exactly the same issue on my UniFi Port (Port3)
But do you really have problems on the UnFi Port ? Since the Access points are connected to the controller and working.
Just to confirm I do not have a USG (is that what you mean by controller?) they are just access points connected via a poe switch
The diagnostics tool can not really find the IP since you have a port specified. If you leave it to default, will be able to ping the destination IP then?
yes I can ping if I do not specify a port
If that works, you have a policy tester in the diagnostics section as well, and there you can fill in Source IP and destination IP (never mind protocols in there) and you will see what rule you hit and if it is allowed or denied.
ok, so I can see that I can connect to devices etc maybe there is no problem as such? but definitely some kind of restriction?
what has been throwing me is several things,
1, I am unable to ping from lan to any other port (within Sophos Diags)
2, I have been unable to connect to my nextcloud locally since installing Sophos (I have to setup a hotspot on my phone and connect remotely to my local server!)
3, I have a wireless range extender for my video doorbell on the UniFi port (192.168.1.42) I have been unable to connect to it since installing Sophos but yet I can ping it from my Windows Desktop (192.168.0.3)
4, I cannot connect to the doorbell itself (192.168.1.27) since installing Sophos
5, I can connect to my managed switch (192.168.0.1) and one of my unraid servers (192.168.0.44) from the test machine on the VPN network (192.168.2.50) but yet I cannot connect to anything else like my other unraid server (192.168.0.33) or any of my other devices. So I hope you can understand why I still feel there is an issue, why can I connect to some devices and not others? why do ping results come up mostly empty on Angry IP Scanner? I have always used angry-ip scanner and it has always shown me what is connected on any one my subnets, now it shows nothing other than 192.168.1.10
Basically, if I stop the Sophos VM, load the PfSense VM I can do all of the things mentioned above so something somewhere is stopping (in my mind) basic network traffic and I can find no way around it?
Hi!
Thanks for your reply!
I have spent some time on this today and Prism spent ages with me and resolved/tidied up my installation,got my nextcloud working locally, generally a massive help!
He cut down my rules list and today I removed Port 4 so I now have
Port1 LAN - 192.168.0.*
Port2 WAN
Port3 LAN - 192.168.1.*
Whilst this is now mostly working I have some IP's on Port3 that I cannot access from Port1 If I can see how to fix one, I should be fine to fix the rest so here is one example
my unraid server has 3 connections (not that I think this is important)
eth0 LAN - 192.168.0.33
eth1 LAN - 192.168.1.33
eth2 LAN (10Gbe) - 192.168.11.33
There is a docker running 0n eth1 with an address of 192.168.1.38, I can access the web-ui from a device connected on Port3 but not from Port1 even though the firewall says it is allowed from Port1
