we just bought a Sophos XG Firewall and i ran into some problems. I'm pretty new to the Sophos Universe and even to VLANs.
For testing purposes i setup two laptops on a managed Dell Switch (62xx Series, Port 26 and Port 28). I connected the XG on Port 39.
The Switch-Port-Configuration is as followes:
...configurevlan databasevlan 2247exit...interface vlan 2247name "Test"exit...interface ethernet 1/g26spanning-tree portfastswitchport access vlan 2247lldp transmit-tlv sys-name sys-descexit...interface ethernet 1/g28spanning-tree portfastswitchport access vlan 2247lldp transmit-tlv sys-name sys-descexit...interface ethernet 1/g39spanning-tree portfastswitchport mode generalswitchport general allowed vlan add 2247 taggedlldp transmit-tlv port-desc sys-name sys-desc sys-capexit...
On the XG i added a new vlan interface on port 1 with a new subnet 10.20.32.1/19.
Then i created a dhcp scope for interface Port1.2247 and created a firewall-rule, allowing everything.
If the laptops have a static ip, they can reach the internet, the XG and the laptops themselves.
But they do not aquire a IP-Address through DHCP.
Am i missing something? Thank you
you could use Diagnostics>Packet Capture
filter for port 67 and let it run.
maybe you have a similar issue (Violation Local_ACL) as we have. Struggling around with Sophos Support for months now and they can't figure it out
which version of XG are you running?
i am running version SFOS 18.0.4 MR-4
please post a copy of the dhcp setup.
Hi, thank you for the quick reply. I got exactly the same message on the vlan interface.
as I don't have a solution for this and if you decide to open a support case for this I can only post my support case ID here for you so you can create a reference on this.
03622604 DHCP Requests to XG and to Relay blocked by Local_ACL Violation
see my old post about that
I have added a note to your case, asking for progress on this case.
Hi,in which zone ist the interface? Are there any entries in the regular logfile if you create an explicit deny rule?Is there a rule implemented going form the above zone to zone (e.g. LAN,10.20.32.1/19 to LAN,10.20.32.1/19).Do you get any for information on the connection ID with conntrack on the ID seen in the capture?Does this also occur if you bypass-stateful-firewall-config for your network 10.20.32.1/19?#3 in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/79041/troubleshooting-guide-for-xgIs FastPath switched on or off (AFIK off until V18 MR-3 and then on). If it is on - is it working when you switch it off?Regards,BeEf
i could do some testing so far.
The vlan interface is on the LAN zone.
I can't see any entries in the default log if i setup a explicit deny rule.
I created a rule from LAN, 10.20.32.1/19 to LAN, 10.20.32.1/19.
Bypassing and turning off FastPath didn't help either.
Assigning a static ip on the laptop works like it should. i can reach an other laptop in the same vlan and with the firewall allowing it, i can reach the internet.