I am using Sophos XG115 as the firewall and i do have a layer 3 switch (Unifi 8 port POE 60W switch) which leverages VLANS created & tagged at XG115.
Users in different VLANs want to connect to devices (e.g. Network Printer and Network Attached Storage device [TerraMaster]) located in another VLAN.
i have created a firewall rule which enables the communication between VLANS. I have also created DHCP records for each VLANs at XG115.
I am able to PING to the gateway addresses of each VLAN. Unfortunately, the trace route keeps on failing at the gateway address of LAN network port at XG11 5when trying to reach to devices in different VLANs.
Can someone help me in steps on what we should be adding or enabling to allow users in different VLANs to access the NAS and Printer?
Please note that users are on stand-alone Windows 10 devices. There is no active directory or LDAP integrations (i mean there is no Windows server).
Below is a diagram of the network. An early response is highly appreciated.
Hello, try source zone :lan , source network select all VLAN inside and the same for destination zone: LAN and destination network : all VLAN . move the rule set to the top position at the Intranet rulesets…
UJay In this scenario, you need to add static route in the firewall. For an IPv4 unicast route, go to Configure > Routing > Static Routing and click Add under IPv4 Unicast Route.https://docs.sophos.com/nsg/sophos-firewall/v17.1.4/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FUnicastRouteEdit.html%23Video link: https://www.youtube.com/watch?v=h-nu7tMfL_E
Hope this helps!
Thank & Regards,
If a post solves your question, use the 'Verify Answer' link.
I tried your suggestion and still unable to cross from one VLAN to another.
I am able to ping between gateways of each VLANs but not able to trace route or ping a specific IP address of device.
you might be right, but that is a guess based on the blue line besides port 1. He was asked for his interface configuration.
- you are able to access the internet from all VLAN's (or at least the two that should communicate one with the other)
- do you see this traffic within logviewer/firewall? ... enabe logging for all rules for testing.
- try to access the NAS within other VLAN (not with HTTP ... this may be handled different) ... do you see allowed or blocked packets within logviewer?
- try to ping NAS & Printer ... something within logviewer?
- please show us the VLAN's behind Port1
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
Yes I do have VLANS and they are defined under Port 1 as xg-andy mentioned
caption of VLANs has been attached.
Yes i am able to access Internet from all VLANs, there is no issue. I was using these VLANs and users were accessing Internet from May 2021.
When do a ping or tracert to NAS via 2 different VLANs they dont get logged in the logviewer.
Accessing of the NAS is not web based (not HTTP). I use the \\NASipaddress\ to access it.
PING to the NAS IP address fails.
Hope the above helps to clear some doubts at your end
Can you ping the nas from its network?ian
Yes I can PING the NAS from the VLAN where it is located. Then i can PING and TRACER the gateway IP of the VLAN where NAS is located from any other VLANs. But the PING or TRACERT to the NAS from other VLANs fails.
So what happens when you try to access other devices on the NAS VLAN?
The other device on this VLAN is the printer. It is using TCP/IP port configuration, hence printing can be done without any issues.
Okay, what is the nas using, sounds like it has a firewall enabled blocking incoming traffic on specific ports?
After deleting and recreating the VLAN and Rule, i am now able to access the NAS by using the UNC path. I am not sure what was the issue which prevent access from the previous arrangements.
The firewall rule is same as screenshot displaying 40toLAN where Source LAN, ANY and then Destination LAN with ANY. As soon as I change ANY to specific VLANs, then i am unable to communicate with the NAS.
I don't want some VLANs to access NAS, hence need to find a way to prevent such VLANs accessing NAS. How do i achieve that?
You need to setup firewall rules LAN "VLAN Network" LAN any allow log. I suspect you are changing the ANY to the VLAN interface IP address rather than the VLAN IP network range.
Can you please give me an example to get a better understanding of your guidance?
VLAN interface 10.10.10.1/32 VLAN network 10.10.10.1/24
Quick update to you.
I was able to use this method and restrict access by unwanted devices. Thanks for your guidance.
At the moment i am using any for services but i want to restrict that to ports require for NAS (such as 445). I have tried with 445 and 137 as SMB ports, but no success.
The firewall at the NAS is disabled.