Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 34 replies
  • Answers 3 answers
  • Subscribers 43 subscribers
  • Views 30407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inter VLAN Communication is not working

UJay

Hi

I am using Sophos XG115 as the firewall and i do have a layer 3 switch (Unifi 8 port POE 60W switch)  which leverages VLANS created & tagged at XG115. 

Users in different VLANs want to connect to devices (e.g. Network Printer and Network Attached Storage device [TerraMaster]) located in another VLAN. 

i have created a firewall rule which enables the communication between VLANS. I have also created DHCP records for each VLANs at XG115. 

I am able to PING to the gateway addresses of each VLAN. Unfortunately, the trace route keeps on failing at the gateway address of LAN network port at XG11 5when trying to reach to devices in different VLANs. 

Can someone help me in steps on what we should be adding or enabling to allow users in different VLANs to access the NAS and Printer?

Please note that users are on stand-alone Windows 10 devices. There is no active directory or LDAP integrations (i mean there is no Windows server). 

Below is a diagram of the network. An early response is highly appreciated. 



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    Hi Ian

    Quick update to you.

    I was able to use this method and restrict access by unwanted devices. Thanks for your guidance. 

    At the moment i am using any for services but i want to restrict that to ports require for NAS (such as 445). I have tried with 445 and 137 as SMB ports, but no success. 

    The firewall at the NAS is disabled. 

  • +1 in reply to UJay

    VLAN interface 10.10.10.1/32 VLAN network 10.10.10.1/24

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Can you please give me an example to get a better understanding of your guidance? 

  • 0 in reply to UJay

    You need to setup firewall rules LAN "VLAN Network" LAN any allow log. I suspect you are changing the ANY to the VLAN interface IP address rather than the VLAN IP network range.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian

    After deleting and recreating the VLAN and Rule, i am now able to access the NAS by using the UNC path. I am not sure what was the issue which prevent access from the previous arrangements. 

    The firewall rule is same as screenshot displaying 40toLAN where Source LAN, ANY and then Destination LAN with ANY. As soon as I change ANY to specific VLANs, then i am unable to communicate with the NAS. 

    I don't want some VLANs to access NAS, hence need to find a way to prevent such VLANs accessing NAS. How do i achieve that?

  • 0

    Hello UJay,

    I do not understand your rules - especially the first one 40 to LAN. 

    However here some things you might try/correct:

    - Can you look on the CLI for dropped packets? Can you look in the logs for dropped packets. Create an explicit deny with all zones (not any) and switch on logging on the end of the rules.

    - There should be no nat between VLAN 1,2,3,4.You problably need to do NAT to access the internet.

    - Is there only one computer within the VLANs 10,20,30? Are you able to ping the devices within the individual VLANs (if there is only one you might consider to add a second device?

    - The switch might also be the reason for this behavior. In the configuration described here and in the answers it should leverage only layer 2 functionality ...

    - Are your devices answering to pings at all? Switch off the firewall / antivirus on the windows 10 computer and try again.

    Regards,
    BeEf

  • 0 in reply to UJay

    Okay, what is the nas using, sounds like it has a firewall enabled blocking incoming traffic on specific ports?

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The other device on this VLAN is the printer. It is using TCP/IP port configuration, hence printing can be done without any issues.  

  • 0 in reply to UJay

    So what happens when you try to access other devices on the NAS VLAN?

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Yes I can PING the NAS from the VLAN where it is located. Then i can PING and TRACER the gateway IP of the VLAN where NAS is located from any other VLANs. But the PING or TRACERT to the NAS from other VLANs fails.

Unfiltered HTML