DHCP inside a VLAN, doesnt aquire IP

Hello,

we just bought a Sophos XG Firewall and i ran into some problems. I'm pretty new to the Sophos Universe and even to VLANs.

For testing purposes i setup two laptops on a managed Dell Switch (62xx Series, Port 26 and Port 28). I connected the XG on Port 39.

The Switch-Port-Configuration is as followes:

...
configure
vlan database
vlan 2247
exit
...
interface vlan 2247
name "Test"
exit
...
interface ethernet 1/g26
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g28
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g39
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 2247 tagged
lldp transmit-tlv port-desc sys-name sys-desc sys-cap
exit
...

On the XG i added a new vlan interface on port 1 with a new subnet 10.20.32.1/19.

Then i created a dhcp scope for interface Port1.2247 and created a firewall-rule, allowing everything.

If the laptops have a static ip, they can reach the internet, the XG and the laptops themselves. 

But they do not aquire a IP-Address through DHCP.

Am i missing something? Thank you

Chris



fixed some misspelled words
[edited by: Christian Willems at 1:22 PM (GMT -7) on 4 May 2021]
Parents Reply Children
  • Hi, 

    i am running version SFOS 18.0.4 MR-4

    Chris

  • Hi,

    please post a copy of the dhcp setup.

    ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Hi,

    in which zone ist the interface?
    Are there any entries in the regular logfile if you create an explicit deny rule?
    Is  there a rule implemented going form the above zone to zone (e.g. LAN,10.20.32.1/19 to LAN,10.20.32.1/19).
    Do you get any for information on the connection ID with conntrack on the ID seen in the capture?

    Does this also occur if you bypass-stateful-firewall-config for your network 10.20.32.1/19?
    #3 in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/79041/troubleshooting-guide-for-xg

    Is FastPath switched on or off (AFIK off until V18 MR-3 and  then on). If it is on - is it working when you switch it off?

    Regards,
    BeEf

  • HI,

    i could do some testing so far.

    The vlan interface is on the LAN zone.

    I can't see any entries in the default log if i setup a explicit deny rule.

    I created a rule from LAN, 10.20.32.1/19 to LAN, 10.20.32.1/19.

    Bypassing and turning off FastPath didn't help either. 

    Assigning a static ip on the laptop works like it should. i can reach an other laptop in the same vlan and with the firewall allowing it, i can reach the internet.

    Regards,

    Chris

  • OK.

    Ist your DHCP working for other (V)LANs? Maybe something is wrong with the DHCP server.

    Out could try a DHCP Server somewhere else (e.g. Windows or Linux Server) and configure a relay.

    Maybe the packets are dropped somehow. There is also a cli command for dropped packets.

    I think sophos should be able to say something about the entry Violation Local_ACL.

    Regards,
    Bernd

  • "I think sophos should be able to say something about the entry Violation Local_ACL."

    Once I thought that, too

    As said, they have'nt found the cause in 5 months now.

    Note: this does not work even if there is a any to any with any service fw rule. Just some internal weirdness.

    drop-packet-capture "port 67"
    
    some examples - two VLANs here of which one 
    (lag0.57) has DHCP Relay configured directly at XG, 
    one VLAN (lag0.6) has no DHCP on XG,  
    reds24:1340 is a VLAN behind (XG-)RED60
    
    2021-05-06 14:53:17 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 64620
    0x0000:  4500 0148 0b02 0000 4011 6ea4 0000 0000  E..H....@.n.....
    0x0010:  ffff ffff 0044 0043 0134 fc6c 0101 0600  .....D.C.4.l....
    0x0020:  763f 0000 b12a 0000 0000 0000 0000 0000  v?...*..........
    0x0030:  0000 0000 0000 0000 78ac c08f e304 0000  ........x.......
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:17 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.57 out_dev= inzone_id=1 outzone_id=4 source_mac=78:ac:c0:8f:e3:04 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=852432512 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:28 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 13707
    0x0000:  4500 0148 0000 0000 4011 79a6 0000 0000  E..H....@.y.....
    0x0010:  ffff ffff 0044 0043 0134 358b 0101 0600  .....D.C.45.....
    0x0020:  e9fc 2e21 8d8f 0000 0000 0000 0000 0000  ...!............
    0x0030:  0000 0000 0000 0000 7c5a 1c05 0644 0000  ........|Z...D..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:28 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=reds24.1340 out_dev= inzone_id=13 outzone_id=4 source_mac=7c:5a:1c:05:06:44 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1307914304 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:57 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 7606
    0x0000:  4500 0148 4be5 0000 8011 edc0 0000 0000  E..HK...........
    0x0010:  ffff ffff 0044 0043 0134 1db6 0101 0600  .....D.C.4......
    0x0020:  e615 677f 0000 8000 0000 0000 0000 0000  ..g.............
    0x0030:  0000 0000 0000 0000 0050 5685 4c5c 0000  .........PV.L\..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.6 out_dev= inzone_id=12 outzone_id=4 source_mac=00:50:56:85:4c:5c dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1362323648 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0

  • I just found out, you can also find the packet blocks in live log, Firewall

    Log Comp: "Appliance Access"

    In this case: lag0.6 really has no DHCP Server or Relay on XG.

    The other Interfaces seen on the screenshot have either their own DHCP server in XG or use a relay configured on XG to another DHCP server.

  • Looks like DHCP is missing here:

    https://support.sophos.com/support/s/article/KB-000038344?language=en_US#:~:text=Local%20Service%20ACL%20is%20located,zones%20and%20then%20click%20Apply.

    Maybe the DHCP server crashed? Try to do a restart.


    Or try to disable IPS (in Sytem Services). Sophos XG = trial and error :-(.

    Just wondering why sophos support is not able to correct this in 5 months or put it at least into the know bugs list.

  •  do you have a bridge configured on your XG or on a RED?

     thanks four your tips. I disabled IPS on the DHCP FW rules. Even stopped IPS service. It does not help. I aggree: this is to be found in Administration>DeviceAccess but there is no DHCP.

    DHCP Service restarted. Even the firewall.

    Today we vreated a new RED60 with VLANs behind the RED and Devices cannot obtain DHCP Addresses from the DHCP Server Relay configured on XG. Same issue again: Violation Local_ACL.

    So Sophos APX not getting their IP addresses. Phones and Client PCs behind RED not getting IP either.

    Very frustrating If you prepare something on the weekend and in the end just waste your time.

    Time;In interface;Out interface;Ethernet type;Source IP;Destination IP;Packet type;Ports [src,dst];NAT ID;Rule ID;Status;Reason;Connection ID
    08.05.2021 17:26;reds21.1054;;IPv4;0.0.0.0;255.255.255.255;UDP;68,67;0;0;Violation;Local_ACL;1116691648
    08.05.2021 17:26;reds21.1054;;IPv4;0.0.0.0;255.255.255.255;UDP;68,67;0;0;Incoming;;0

    Activated this test top-of-the-list FW rule - no change

    btw: just updated to MR5 - update was OK in cluster.