Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie to Sophos needs a little help

Hey all, this is my first post Slight smile

I think i am missing something and need a little guidance on how to enable access to the sophos gui on the lan side from my main PC within my current setup. 

The setup (see pics)

Router -> Sophos XG -> Core Switch -> VLANS (APs/Comps/Etc)

I've setup rules to allow ping/DHCP etc through all connections and i have setup rules to allow Main PC (192.168.69.107) access to 192.168.67.9 on port 4444.

I can ping any gateway on the Router (192.168.67.2 and 192.168.69.2) from the main PC

IF i ping the Sophos 192.168.67.9 (LAN) i get no response, but if i ping it from the WAN side (via routers ping tool) i get a response. So the IP is accessible only from the WAN side.

I can see in the logs, that the incoming request is accepted, but the return journey is denied, despite being a rule in place.

Rule

It looks like the Sophos IP 192.168.67.9 is not accessible from the LAN side. I think the networking is setup correctly, i can now access different vlans and everything is talking to each other (provided there is rule in place to allow it)

How do i add another IP on the bridge pair or expose the Sophos to the LAN side? (preferably on the 192.168.67.0 vlan)

I've tried all sorts and it keeps resulting in failure, any ideas would be most welcomed

Thanks for your time



This thread was automatically locked due to age.
  • Hi,

     Avery complex setup. Are you using https://firewall address:4444

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian, thanks for your quick reply.

    Yes i'm using: https://192.168.67.9:4444/ from my main PC. 

    I can't ping 192.168.67.9 from my pc (though can ping everything else on that subnet or any other) It's as if that IP isn't accessible on the LAN side.

    I'm very new to sophos, so i'm struggling a bit

  • Hi,

    what's your internet uplink/downlink speed on the WAN-side of your router?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp

    That depends, currently running two 4G connections due to the rural location and atrocious hard-line broadband. Separately they are between 50-70mbps down and 25mbps up, but bonded it can be up to 120mbps down with wan smoothing (on a good day) and up to 50mbps up. Nothing epic yet, no 5G yet or fibre here. Was looking at a starlink option.

  • For clarity, which SFOS are you on?

    I've never used the Sophos in bridge mode, so can't say anything definitively. That said, my first thought is that you may need to create VLANs in the Sophos in order for it to consider them something it cares about -- even though you're not routing. No clue if that matters, but it might be worth a try.

    Bridged interfaces allow you to filter VLANs, which I assume you aren't doing. And I'd say there's always the possibility that something like a bug with LAG'd ports that don't allow certain things.

  • Why are you using LAGs then?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Wayne

    SFOS 18.5.2 MR-2

    Yeah i did try adding them to the bridge, but it caused all sorts of problems with devices getting DHCP in the correct ranges 169.254.x.x. In the current setup the VLANs are being passed through ok to the router and back again.

    I've tried filtered VLANs on/off on the bridge-pair with all their IDs (currently its OFF) but no joy.

    I might try again and disable the LAGs.

    Thanks

    Piers

  • Hi Piers,

    I'd recommend you abandon LAGs at first, then use no bridging at all and try to seperate the nets. Personally I would use a transfer-net and normal routing.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Because one of the VLANs runs video streams to another VLAN and has to go from the switch up through the router and back to the switch. (trying to reduce the router on a stick bottlenecks by increasing bandwidth via lags)

  • Hi Philipp, thanks i will try that.

    Not sure i understand what you mean by a transfer net? or separating the nets as they are all managed by the router each for different purposes.