This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP inside a VLAN, doesnt aquire IP

Hello,

we just bought a Sophos XG Firewall and i ran into some problems. I'm pretty new to the Sophos Universe and even to VLANs.

For testing purposes i setup two laptops on a managed Dell Switch (62xx Series, Port 26 and Port 28). I connected the XG on Port 39.

The Switch-Port-Configuration is as followes:

...
configure
vlan database
vlan 2247
exit
...
interface vlan 2247
name "Test"
exit
...
interface ethernet 1/g26
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g28
spanning-tree portfast
switchport access vlan 2247
lldp transmit-tlv sys-name sys-desc
exit
...
interface ethernet 1/g39
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 2247 tagged
lldp transmit-tlv port-desc sys-name sys-desc sys-cap
exit
...

On the XG i added a new vlan interface on port 1 with a new subnet 10.20.32.1/19.

Then i created a dhcp scope for interface Port1.2247 and created a firewall-rule, allowing everything.

If the laptops have a static ip, they can reach the internet, the XG and the laptops themselves. 

But they do not aquire a IP-Address through DHCP.

Am i missing something? Thank you

Chris



This thread was automatically locked due to age.
  • OK.

    Ist your DHCP working for other (V)LANs? Maybe something is wrong with the DHCP server.

    Out could try a DHCP Server somewhere else (e.g. Windows or Linux Server) and configure a relay.

    Maybe the packets are dropped somehow. There is also a cli command for dropped packets.

    I think sophos should be able to say something about the entry Violation Local_ACL.

    Regards,
    Bernd

  • "I think sophos should be able to say something about the entry Violation Local_ACL."

    Once I thought that, too

    As said, they have'nt found the cause in 5 months now.

    Note: this does not work even if there is a any to any with any service fw rule. Just some internal weirdness.

    drop-packet-capture "port 67"
    
    some examples - two VLANs here of which one 
    (lag0.57) has DHCP Relay configured directly at XG, 
    one VLAN (lag0.6) has no DHCP on XG,  
    reds24:1340 is a VLAN behind (XG-)RED60
    
    2021-05-06 14:53:17 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 64620
    0x0000:  4500 0148 0b02 0000 4011 6ea4 0000 0000  E..H....@.n.....
    0x0010:  ffff ffff 0044 0043 0134 fc6c 0101 0600  .....D.C.4.l....
    0x0020:  763f 0000 b12a 0000 0000 0000 0000 0000  v?...*..........
    0x0030:  0000 0000 0000 0000 78ac c08f e304 0000  ........x.......
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:17 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.57 out_dev= inzone_id=1 outzone_id=4 source_mac=78:ac:c0:8f:e3:04 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=852432512 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:28 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 13707
    0x0000:  4500 0148 0000 0000 4011 79a6 0000 0000  E..H....@.y.....
    0x0010:  ffff ffff 0044 0043 0134 358b 0101 0600  .....D.C.45.....
    0x0020:  e9fc 2e21 8d8f 0000 0000 0000 0000 0000  ...!............
    0x0030:  0000 0000 0000 0000 7c5a 1c05 0644 0000  ........|Z...D..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:28 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=reds24.1340 out_dev= inzone_id=13 outzone_id=4 source_mac=7c:5a:1c:05:06:44 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1307914304 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbdid_dir0=0 pbrid_dir1=0
    
    
    2021-05-06 14:53:57 0103021 IP 0.0.0.0.68 > 255.255.255.255.67 : proto UDP: packet len: 308 checksum : 7606
    0x0000:  4500 0148 4be5 0000 8011 edc0 0000 0000  E..HK...........
    0x0010:  ffff ffff 0044 0043 0134 1db6 0101 0600  .....D.C.4......
    0x0020:  e615 677f 0000 8000 0000 0000 0000 0000  ..g.............
    0x0030:  0000 0000 0000 0000 0050 5685 4c5c 0000  .........PV.L\..
    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    Date=2021-05-06 Time=14:53:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=lag0.6 out_dev= inzone_id=12 outzone_id=4 source_mac=00:50:56:85:4c:5c dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=0.0.0.0 dest_ip=255.255.255.255 l4_protocol=UDP source_port=68 dest_port=67 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1362323648 masterid=0 status=256 state=0, flag0=549757911040 flags1=0 pbdid_dir0=0 pbrid_dir1=0

  • I just found out, you can also find the packet blocks in live log, Firewall

    Log Comp: "Appliance Access"

    In this case: lag0.6 really has no DHCP Server or Relay on XG.

    The other Interfaces seen on the screenshot have either their own DHCP server in XG or use a relay configured on XG to another DHCP server.

  • Looks like DHCP is missing here:

    https://support.sophos.com/support/s/article/KB-000038344?language=en_US#:~:text=Local%20Service%20ACL%20is%20located,zones%20and%20then%20click%20Apply.

    Maybe the DHCP server crashed? Try to do a restart.


    Or try to disable IPS (in Sytem Services). Sophos XG = trial and error :-(.

    Just wondering why sophos support is not able to correct this in 5 months or put it at least into the know bugs list.

  •  do you have a bridge configured on your XG or on a RED?

     thanks four your tips. I disabled IPS on the DHCP FW rules. Even stopped IPS service. It does not help. I aggree: this is to be found in Administration>DeviceAccess but there is no DHCP.

    DHCP Service restarted. Even the firewall.

    Today we vreated a new RED60 with VLANs behind the RED and Devices cannot obtain DHCP Addresses from the DHCP Server Relay configured on XG. Same issue again: Violation Local_ACL.

    So Sophos APX not getting their IP addresses. Phones and Client PCs behind RED not getting IP either.

    Very frustrating If you prepare something on the weekend and in the end just waste your time.

    Time;In interface;Out interface;Ethernet type;Source IP;Destination IP;Packet type;Ports [src,dst];NAT ID;Rule ID;Status;Reason;Connection ID
    08.05.2021 17:26;reds21.1054;;IPv4;0.0.0.0;255.255.255.255;UDP;68,67;0;0;Violation;Local_ACL;1116691648
    08.05.2021 17:26;reds21.1054;;IPv4;0.0.0.0;255.255.255.255;UDP;68,67;0;0;Incoming;;0

    Activated this test top-of-the-list FW rule - no change

    btw: just updated to MR5 - update was OK in cluster.

  • Your problem seems to be a bit more general. On my red DHCP was working for LAN but not for WiFi. Although the integrated RED 15w AP got an DHCP Lease. But I simply was not able to get it from status inactive to active. No clue why.

    Are you using unified mode or split tunnel. Do you know the magic ip 1.2.3.4 and the DHCP Option 234 which should point to the gateway. As I understand both if the XG is not in the default path of the communication. 

  • https://firewall.news/sophos-xg-firewall-packet-capture-may-show-violation-for-dhcp-and-dhcp-relay-traffic/

    "Even it shows violation in the Packet capture but analyzing the DHCP traffic with Wireshark shows that the XG firewall is still forwarding DHCP packet to clients and server. So just ignore that violation message."

    Is there something official about that? (self reply on 17.05.2021: https://support.sophos.com/support/s/article/KB-000039048?language=en_US&c__displayLanguage=en_US)

    But the thread starter and me have situations where the devices are actually not getting IPs.

  • FormerMember
    0 FormerMember in reply to LHerzog

    Hi ,

    Are you still experiencing this issue? 

    Could you please check if the DHCP server service is running on your firewall? Go to System Service > Services > DHCP server. 

    Thanks,

  • sure it IS running. restarting does'nt change either.