Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie to Sophos needs a little help

Hey all, this is my first post Slight smile

I think i am missing something and need a little guidance on how to enable access to the sophos gui on the lan side from my main PC within my current setup. 

The setup (see pics)

Router -> Sophos XG -> Core Switch -> VLANS (APs/Comps/Etc)

I've setup rules to allow ping/DHCP etc through all connections and i have setup rules to allow Main PC (192.168.69.107) access to 192.168.67.9 on port 4444.

I can ping any gateway on the Router (192.168.67.2 and 192.168.69.2) from the main PC

IF i ping the Sophos 192.168.67.9 (LAN) i get no response, but if i ping it from the WAN side (via routers ping tool) i get a response. So the IP is accessible only from the WAN side.

I can see in the logs, that the incoming request is accepted, but the return journey is denied, despite being a rule in place.

Rule

It looks like the Sophos IP 192.168.67.9 is not accessible from the LAN side. I think the networking is setup correctly, i can now access different vlans and everything is talking to each other (provided there is rule in place to allow it)

How do i add another IP on the bridge pair or expose the Sophos to the LAN side? (preferably on the 192.168.67.0 vlan)

I've tried all sorts and it keeps resulting in failure, any ideas would be most welcomed

Thanks for your time



This thread was automatically locked due to age.
Parents
  • For clarity, which SFOS are you on?

    I've never used the Sophos in bridge mode, so can't say anything definitively. That said, my first thought is that you may need to create VLANs in the Sophos in order for it to consider them something it cares about -- even though you're not routing. No clue if that matters, but it might be worth a try.

    Bridged interfaces allow you to filter VLANs, which I assume you aren't doing. And I'd say there's always the possibility that something like a bug with LAG'd ports that don't allow certain things.

  • Hi Wayne

    SFOS 18.5.2 MR-2

    Yeah i did try adding them to the bridge, but it caused all sorts of problems with devices getting DHCP in the correct ranges 169.254.x.x. In the current setup the VLANs are being passed through ok to the router and back again.

    I've tried filtered VLANs on/off on the bridge-pair with all their IDs (currently its OFF) but no joy.

    I might try again and disable the LAGs.

    Thanks

    Piers

  • Hi Piers,

    I'd recommend you abandon LAGs at first, then use no bridging at all and try to seperate the nets. Personally I would use a transfer-net and normal routing.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Piers,

    I'd recommend you abandon LAGs at first, then use no bridging at all and try to seperate the nets. Personally I would use a transfer-net and normal routing.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Hi Philipp, thanks i will try that.

    Not sure i understand what you mean by a transfer net? or separating the nets as they are all managed by the router each for different purposes.

  • Hello,

    I would use the Sophos Firewall as the central point to manage the networks. The router is only a measure to reach out to the ISP.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Philipp.

    Not really a realistic option at present. I picked Sophos in bridge mode so that it could be placed easily inline within the existing setup.

    I tried removing the lags and it didn't make any difference, the firewall was still only accessible from the WAN side.

    Without bridging it seems to cause all sorts of issues passing the traffic through, bridging was the only way i could get it to work seamlessly.

  • OK, last try: with bridging you always have ALL traffic passing thriough the Sophos. This is your bottleneck.

    With routing (and this is the main advantage of routing) you only have fractions of traffic going from source interface to target interface.

    Besides, you have much easier control about security between these segments.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I get what you're saying regarding ease of management and bottlenecks and will consider it, there's always plenty of room to improve Slight smile

    The initial plan was to get everything to pass through the Sophos at least on 2Gbps lag between the VLANs but on the core VLAN there's a 10GBe pipe via the core switch to the other switches behind the FW.

    The main router manages more than just the internet, it manages all the AP's (same brand), the mesh, wifi as wan and routing/encryption to/from a AWS instances via different isps. Site to site vpns and all the remote access. It works beautifully and it would be an upheaval to change it all when it works so well.

    I was hoping that i could manage the FW LAN side within the current setup.