Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 37 subscribers
  • Views 893 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall blocks VPN → LAN traffic until it “sees” the destination host

SamHocevar

Our networks include a LAN (192.168.0.0/20) and a VPN area (172.x.x.0/24). There is a firewall rule allowing two-way routing between these two zones:

Now the problem we witness is that the firewall blocks VPN → LAN traffic unless it has seen traffic from the LAN host. . Initially, the above rule simply does not match:

This happens regardless of the protocol (ICMP, TCP, UDP…)

Indeed the policy tester indicates that such traffic is prohibited:

Now the really strange thing happens when I initiate random traffic from the LAN host (the destination in the above screenshots) that the firewall can see (e.g. connect to something on the internet, or broadcast a single UDP packet), and now suddenly the hosts gets “known” and VPN → LAN traffic is no longer blocked:

Then after some time of not seeing any traffic from the LAN host, the traffic is again blocked.

Does anyone understand what is happening?

Note: the issue appears unrelated to ARP, because it still happens if the target host is in the firewall’s ARP table (I even tried adding a PERM entry).



This thread was automatically locked due to age.
Parents
  • 0

    Hello Sam,

    Thank you for contacting the Sophos Community.

    Do you happen to have an overlapping network on the XG? 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel, and thank you for having a look at this.

    I hope I understand your question correctly: by overlapping network, you mean distinct physical networks that share an IP range? If so, we do not have such a setup AFAIK.

    We do have subnets of 192.168.0.0 declared in Hosts and Services (192.168.2.0/24 and 192.168.3.0/24) for specific firewall rules, but they are physically part of the LAN.

    (Also I realise in my initial message I wrote our LAN was a /16 but it is actually a /20; I don’t believe it makes any difference).

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel, and thank you for having a look at this.

    I hope I understand your question correctly: by overlapping network, you mean distinct physical networks that share an IP range? If so, we do not have such a setup AFAIK.

    We do have subnets of 192.168.0.0 declared in Hosts and Services (192.168.2.0/24 and 192.168.3.0/24) for specific firewall rules, but they are physically part of the LAN.

    (Also I realise in my initial message I wrote our LAN was a /16 but it is actually a /20; I don’t believe it makes any difference).

Children
No Data
Unfiltered HTML