This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie to Sophos needs a little help

Hey all, this is my first post

I think i am missing something and need a little guidance on how to enable access to the sophos gui on the lan side from my main PC within my current setup.

The setup (see pics)

Router -> Sophos XG -> Core Switch -> VLANS (APs/Comps/Etc)

I've setup rules to allow ping/DHCP etc through all connections and i have setup rules to allow Main PC (192.168.69.107) access to 192.168.67.9 on port 4444.

I can ping any gateway on the Router (192.168.67.2 and 192.168.69.2) from the main PC

IF i ping the Sophos 192.168.67.9 (LAN) i get no response, but if i ping it from the WAN side (via routers ping tool) i get a response. So the IP is accessible only from the WAN side.

I can see in the logs, that the incoming request is accepted, but the return journey is denied, despite being a rule in place.

Rule

It looks like the Sophos IP 192.168.67.9 is not accessible from the LAN side. I think the networking is setup correctly, i can now access different vlans and everything is talking to each other (provided there is rule in place to allow it)

How do i add another IP on the bridge pair or expose the Sophos to the LAN side? (preferably on the 192.168.67.0 vlan)

I've tried all sorts and it keeps resulting in failure, any ideas would be most welcomed

Thanks for your time

This thread was automatically locked due to age.

Top Replies

PhilippRusch over 2 years ago in reply to DisturbedPixel +1

Hi Piers, I'd recommend you abandon LAGs at first, then use no bridging at all and try to seperate the nets. Personally I would use a transfer-net and normal routing.

0 rfcat_vk over 2 years ago

Hi,

Avery complex setup. Are you using https://firewall address:4444

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 DisturbedPixel over 2 years ago in reply to rfcat_vk

Hi Ian, thanks for your quick reply.

Yes i'm using: https://192.168.67.9:4444/ from my main PC.

I can't ping 192.168.67.9 from my pc (though can ping everything else on that subnet or any other) It's as if that IP isn't accessible on the LAN side.

I'm very new to sophos, so i'm struggling a bit
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 2 years ago in reply to DisturbedPixel

Hi,

what's your internet uplink/downlink speed on the WAN-side of your router?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 DisturbedPixel over 2 years ago in reply to PhilippRusch

Hi Philipp

That depends, currently running two 4G connections due to the rural location and atrocious hard-line broadband. Separately they are between 50-70mbps down and 25mbps up, but bonded it can be up to 120mbps down with wan smoothing (on a good day) and up to 50mbps up. Nothing epic yet, no 5G yet or fibre here. Was looking at a starlink option.
Cancel
Vote Up 0 Vote Down

Cancel
0 Wayne Folta over 2 years ago

For clarity, which SFOS are you on?

I've never used the Sophos in bridge mode, so can't say anything definitively. That said, my first thought is that you may need to create VLANs in the Sophos in order for it to consider them something it cares about -- even though you're not routing. No clue if that matters, but it might be worth a try.

Bridged interfaces allow you to filter VLANs, which I assume you aren't doing. And I'd say there's always the possibility that something like a bug with LAG'd ports that don't allow certain things.
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 2 years ago in reply to DisturbedPixel

Why are you using LAGs then?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 DisturbedPixel over 2 years ago in reply to Wayne Folta

Hi Wayne

SFOS 18.5.2 MR-2

Yeah i did try adding them to the bridge, but it caused all sorts of problems with devices getting DHCP in the correct ranges 169.254.x.x. In the current setup the VLANs are being passed through ok to the router and back again.

I've tried filtered VLANs on/off on the bridge-pair with all their IDs (currently its OFF) but no joy.

I might try again and disable the LAGs.

Thanks

Piers
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 2 years ago in reply to DisturbedPixel

Hi Piers,

I'd recommend you abandon LAGs at first, then use no bridging at all and try to seperate the nets. Personally I would use a transfer-net and normal routing.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 DisturbedPixel over 2 years ago in reply to PhilippRusch

Because one of the VLANs runs video streams to another VLAN and has to go from the switch up through the router and back to the switch. (trying to reduce the router on a stick bottlenecks by increasing bandwidth via lags)
Cancel
Vote Up 0 Vote Down

Cancel
0 DisturbedPixel over 2 years ago in reply to PhilippRusch

Hi Philipp, thanks i will try that.

Not sure i understand what you mean by a transfer net? or separating the nets as they are all managed by the router each for different purposes.
Cancel
Vote Up 0 Vote Down

Cancel