This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Home Same LAN ACL

Hello, I'm new to network architecture but have a basic understanding of the XG Interface. I know the issue I'm having is related to my lack of knowledge- not XGH. 

I have XGH deployed in my home network with only two ports: WAN-IN and LAN. My setup is very basic with my ISP router plugged into WAN, the XG in Gateway mode, and my only LAN port connected to a DLINK DSG-108 (unmanaged switch). Then, the rest of my devices connected to the DSG. 

With my current setup, all of my endpoints are on the same LAN. Hence, because of this, they aren't acknowledging any LAN to LAN rules. Example, the below rule does nothing since Sophos seems to act as a simple switch. How can I force all of the devices in my network to pass though the XG as a Gateway without setting up a VLAN? I just want XG to acknowledge the ACL rules. 

This thread was automatically locked due to age.
  • You destination  network should be any. I would also recommend that you use your local network in the source network eg

    after you have this working we can assist with refining your access rules.


    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you kindly for such a fast reply! I tried the suggested ruleset, with the entire local network ( in Source Network to see if I could block everything for testing, and unfortunately I can still access the host.

    This is the output of Policy Tester, which seems to theoretically report correctly. This is the desired behavior, but not actually what takes place. 

  • Maybe I misunderstood your question? The  XG will only block traffic that is routed through it otherwise you switch will do the routing.

    If you want to block access to devices on your lan you will need seperate networks, eg add another network card to your XG.


    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • If I add another network card, i.e. so I have 3 Ports (1 WAN, 2 LAN), won't I encounter the same problem for the devices connected to the new port? Or are you saying that each device on the network requires it's own port on XG? I know there's a way to apply ACL rules to the network connected to one LAN port, I'm just not sure how. I believe I need the local network devices to use XG as a Gateway, rather then XG acting as a simple switch. 

    Perhaps I need to replace my unmanaged switch connected to my LAN port with an L3 switch? Likely if I create one VLAN for all my devices, that would suffice to make them use XG as a Gateway for all traffic, and therefore apply rules? 

  • Hi, 

    you misunderstand the XG with 2 ports it cannot control internal lan access unless you replace your switch with a smart switch or you downgrade to a dumb hub.

    using the XG as a gateway only defines where it will send traffic to if the traffic is not part of the local network.


    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Understood, thank you. So if I replace my unmanaged switch with a Managed Switch, what would need to be configured to have traffic on the same local network pass through XG? What I'm confused about is that if I replace my unmanaged switch with a Managed one, won't it still just switch the traffic the same way for the local network? Perhaps I need a Hub instead of a switch? 

  • To have the XG manage access to your local devices you would need to seperate them into general devices and controlled devices, so basically you would need two LANs. Then you should investigate using clientless users so you can have better control in your rules.

    I was joking with the hub, that will cause you grief with traffic flows.


    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you again for your help! One more question (sorry): Let's say I do add a 3rd LAN port (So I have 1 WAN, and 2 LAN), XG is only able to manage traffic between LAN1 and LAN2, and not traffic between devices in the same LAN1? I understand simple switching on the same network (LAN1) works through MAC Address, and therefore won't pass through XG at all, unless it's for traffic to get to a different interface. But as far as I knew, there are enterprise networks that I've seen which are capable of ACLs for devices on the same network, which is what I'm looking for. Example:

    Sophos XG (LAN1) > Managed Switch ( network)
    Outbound Block Rule: to

    In that example, all of the devices exist within the same LAN. Am I misunderstanding this? Or is it possible to accomplish this somehow? I just find it contrary to what I believed, that it's impossible to create ACLs for devices on the same network with a firewall. I feel like I'm missing something. 

  • Yes, you can block devices in the same network from having internet access, but you can’t stop them accessing other devices on the lan.

    to ensure control you will need to assign static ip addresses, warning on XG they need to be outside of your dhcp range.

    to control the device access you might look at clientless users and user groups.


    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.