This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP inside a VLAN, doesnt aquire IP

Hello,

we just bought a Sophos XG Firewall and i ran into some problems. I'm pretty new to the Sophos Universe and even to VLANs.

For testing purposes i setup two laptops on a managed Dell Switch (62xx Series, Port 26 and Port 28). I connected the XG on Port 39.

The Switch-Port-Configuration is as followes:

...
configure
vlan database
vlan 2247
exit
...
interface vlan 2247
name "Test"
exit
...
interface ethernet 1/g26
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g28
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g39
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 2247 tagged
lldp transmit-tlv port-desc sys-name sys-desc sys-cap
exit
...

On the XG i added a new vlan interface on port 1 with a new subnet 10.20.32.1/19.

Then i created a dhcp scope for interface Port1.2247 and created a firewall-rule, allowing everything.

If the laptops have a static ip, they can reach the internet, the XG and the laptops themselves. 

But they do not aquire a IP-Address through DHCP.

Am i missing something? Thank you

Chris



This thread was automatically locked due to age.
Parents
  • Hi,

    which version of XG are you running?

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    in which zone ist the interface?
    Are there any entries in the regular logfile if you create an explicit deny rule?
    Is  there a rule implemented going form the above zone to zone (e.g. LAN,10.20.32.1/19 to LAN,10.20.32.1/19).
    Do you get any for information on the connection ID with conntrack on the ID seen in the capture?

    Does this also occur if you bypass-stateful-firewall-config for your network 10.20.32.1/19?
    #3 in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/79041/troubleshooting-guide-for-xg

    Is FastPath switched on or off (AFIK off until V18 MR-3 and  then on). If it is on - is it working when you switch it off?

    Regards,
    BeEf

  • HI,

    i could do some testing so far.

    The vlan interface is on the LAN zone.

    I can't see any entries in the default log if i setup a explicit deny rule.

    I created a rule from LAN, 10.20.32.1/19 to LAN, 10.20.32.1/19.

    Bypassing and turning off FastPath didn't help either. 

    Assigning a static ip on the laptop works like it should. i can reach an other laptop in the same vlan and with the firewall allowing it, i can reach the internet.

    Regards,

    Chris

  • OK.

    Ist your DHCP working for other (V)LANs? Maybe something is wrong with the DHCP server.

    Out could try a DHCP Server somewhere else (e.g. Windows or Linux Server) and configure a relay.

    Maybe the packets are dropped somehow. There is also a cli command for dropped packets.

    I think sophos should be able to say something about the entry Violation Local_ACL.

    Regards,
    Bernd

  • "I think sophos should be able to say something about the entry Violation Local_ACL."

    Once I thought that, too

    As said, they have'nt found the cause in 5 months now.

    Note: this does not work even if there is a any to any with any service fw rule. Just some internal weirdness.

    drop-packet-capture "port 67"
    
    some examples - two VLANs here of which one 
    (lag0.57) has DHCP Relay configured directly at XG, 
    one VLAN (lag0.6) has no DHCP on XG,  
    reds24:1340 is a VLAN behind (XG-)RED60
    
    2021-05-06 14:53:17 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 64620
    0x0000:  4500 0148 0b02 0000 4011 6ea4 0000 0000  E..H....@.n.....
    0x0010:  ffff ffff 0044 0043 0134 fc6c 0101 0600  .....D.C.4.l....
    0x0020:  763f 0000 b12a 0000 0000 0000 0000 0000  v?...*..........
    0x0030:  0000 0000 0000 0000 78ac c08f e304 0000  ........x.......
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:17 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.57 out_dev= inzone_id=1 outzone_id=4 source_mac=78:ac:c0:8f:e3:04 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=852432512 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:28 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 13707
    0x0000:  4500 0148 0000 0000 4011 79a6 0000 0000  E..H....@.y.....
    0x0010:  ffff ffff 0044 0043 0134 358b 0101 0600  .....D.C.45.....
    0x0020:  e9fc 2e21 8d8f 0000 0000 0000 0000 0000  ...!............
    0x0030:  0000 0000 0000 0000 7c5a 1c05 0644 0000  ........|Z...D..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:28 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=reds24.1340 out_dev= inzone_id=13 outzone_id=4 source_mac=7c:5a:1c:05:06:44 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1307914304 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:57 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 7606
    0x0000:  4500 0148 4be5 0000 8011 edc0 0000 0000  E..HK...........
    0x0010:  ffff ffff 0044 0043 0134 1db6 0101 0600  .....D.C.4......
    0x0020:  e615 677f 0000 8000 0000 0000 0000 0000  ..g.............
    0x0030:  0000 0000 0000 0000 0050 5685 4c5c 0000  .........PV.L\..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.6 out_dev= inzone_id=12 outzone_id=4 source_mac=00:50:56:85:4c:5c dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1362323648 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0

Reply
  • "I think sophos should be able to say something about the entry Violation Local_ACL."

    Once I thought that, too

    As said, they have'nt found the cause in 5 months now.

    Note: this does not work even if there is a any to any with any service fw rule. Just some internal weirdness.

    drop-packet-capture "port 67"
    
    some examples - two VLANs here of which one 
    (lag0.57) has DHCP Relay configured directly at XG, 
    one VLAN (lag0.6) has no DHCP on XG,  
    reds24:1340 is a VLAN behind (XG-)RED60
    
    2021-05-06 14:53:17 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 64620
    0x0000:  4500 0148 0b02 0000 4011 6ea4 0000 0000  E..H....@.n.....
    0x0010:  ffff ffff 0044 0043 0134 fc6c 0101 0600  .....D.C.4.l....
    0x0020:  763f 0000 b12a 0000 0000 0000 0000 0000  v?...*..........
    0x0030:  0000 0000 0000 0000 78ac c08f e304 0000  ........x.......
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:17 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.57 out_dev= inzone_id=1 outzone_id=4 source_mac=78:ac:c0:8f:e3:04 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=852432512 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:28 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 13707
    0x0000:  4500 0148 0000 0000 4011 79a6 0000 0000  E..H....@.y.....
    0x0010:  ffff ffff 0044 0043 0134 358b 0101 0600  .....D.C.45.....
    0x0020:  e9fc 2e21 8d8f 0000 0000 0000 0000 0000  ...!............
    0x0030:  0000 0000 0000 0000 7c5a 1c05 0644 0000  ........|Z...D..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:28 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=reds24.1340 out_dev= inzone_id=13 outzone_id=4 source_mac=7c:5a:1c:05:06:44 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1307914304 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:57 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 7606
    0x0000:  4500 0148 4be5 0000 8011 edc0 0000 0000  E..HK...........
    0x0010:  ffff ffff 0044 0043 0134 1db6 0101 0600  .....D.C.4......
    0x0020:  e615 677f 0000 8000 0000 0000 0000 0000  ..g.............
    0x0030:  0000 0000 0000 0000 0050 5685 4c5c 0000  .........PV.L\..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.6 out_dev= inzone_id=12 outzone_id=4 source_mac=00:50:56:85:4c:5c dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1362323648 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0

Children