I have newly installed Sophos XG, I had an UDM Pro before.
Anyway, I have created a VLAN 20 and if I create a FW rule for LAN to LAN and source Any I can access VLAN 20 from "Native LAN" (#Port1).
What I wan't to do is that the devices that is not on any VLAN, but directly connected to "#Port1" should be able to access all devices on all VLAN's but devices on VLAN's should not be able to access "Native LAN" (#Port1).
If I make a FW rule with the following,
Source zones: LANSource networks and devices: #Port1
Destiatnion zones: LANDestination networks: Any
it does not work, it breaks the connection.
On the UDM Pro it worked fine, I just had to activate a rule for "Allow all Established and Related Traffic", but I can't find that in Sophos XG.
Hi Pur Ity,
Thanks for reaching out, and welcome to the Sophos Community!
Instead of adding "#Port1" in the source network, could you please create a network object for the LAN network?
#Port1 contains only a single IP address associated with the interface; you'd need to create a network object.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Do I also have to add a "IP host" for the VLAN? I have created a "IP host group" but that group include "#Port1.20" which is VLAN 20, but does "#Port1.20" also only include the gateway IP? So I need to create a "IP Host" with type "Network" and add the IP and Subnet for that VLAN?
So I created a "IP host" group for my "management" network and added the firewall rule like this,
and it seems to work. Now I can connect from MGMT to VLAN20, but devices on VLAN20 can't reach devices on MGMT.
Is there anything else I need to do?
Hi Pur Ity,
To allow access from VLAN to the MGMT network, you'd have to create a firewall rule.
Ok, for the moment shouldn't any VLAN access MGMT. But I think I got it now, thanks =)