Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 4494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to enable gateway on XGS 2100

Poddy

I have a small ICMS network to deploy. There are several VLANs involved. Devices in some VLANs are to be allowed talking to devices in other VLANs, but not all devices are allowed to talk to all other devices. 

I am expecting all routing to be done by the XGS 2100. 

This is my current bench setup. 

The 2 computers can ping each other. But neither can ping the GW. 

So, the config I have on the XGS 2100 unit so far: 

The Network section:

I have assigned the ip address of the F1 interface on the XGS unit to be 10.88.100.254. 

And this is where I can't seem to get it right, I tried it every which way, but the closest I got to having the Gateway up and running is with this setup:

I created a VLAN interface to participate, and assigned it an IP of the GW, 10.88.100.1, and also the VLAN interface has got the VLAN tag of 1100 enabled - I am guessing this allows the XGS unit to tag the traffic(?)

The Routing section: 

Under "Gateways" section, I created the Gateway, and that seems to be "up" and "running" 

And I assigned it the following settings: 

But I am obviously missing some fundamental piece of puzzle. 

Would anyone be able to give me a working example of the settings that are needed to have the XGS 2100 unit provide gateway services (among others) to the local networks? 

Some addtional information: 

I created the rules to basically alloow the traffic to flow: 

I am allowing the ping to be used in the custom zone that I created: 

I created a simple route for the 1 subnet I have to test it with, even though it shouldn't be required at this stage... 

I am starting to run out of ideas. If anyone could kindly throw some pointers my way, it would be greatly appreciated. Thank you in advance, 



This thread was automatically locked due to age.
  • 0

    Hi Tomas Podmaka,

    As per the snapshots, it seems we have a lot of things to discussed and check with your new setup.

    Thump rule we have to keep in mind that we cannot set up the same network on interfaces or VLANs.We have to configure the different networks to make it work.

    Once we fine-tune the configuration we then have to check traffic is reaching Sophos XG or not.

    For that, we can check with packet capture and tcpdump and drop the packet if any 

    Please refer to the below link for the same : 

    support.sophos.com/.../KB-000035761

    console>tcpdump 'host <ip address of the sophos firewall> and proto ICMP

    console>drop-packet-capture 'host <ip address of the sophos firewall> and proto ICMP

    If no traffic hitting on Sophos XG then we have to also check the configuration from switch end.

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    The biggest problem should be the same subnet on 2 interfaces as stated by Bharat J.
    next: do you mask outbound traffic? Private IP's are discarded on the Internet


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Never have the same IP range on two different network interfaces. Please change the IP of the Untagged Interface. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I'm not sure I have the same IP address on 2 different interfaces. I think the "Gateway" section is just a pointer to an interface... Anyway, this is not an issue at the moment. Perhaps we'll circle back to this at some stage. Thanks for your input. 

  • 0 in reply to dirkkotte

    What is "mask outbound traffic"? Is that tagging the traffic? 802.1q? Because that's what the problem is, the XGS2100 is not taggin the traffic, and hence it doesn't know how to communicate with the core switch. 

  • 0 in reply to Bharat J

    This is helpful, thank you Bharat. The FW is not getting anything from the core switch; So I bypassed the core switch and connected a laptop directly to a F1 ports, and boom, the GW is alive and pingable. My next question is, how can I enable the 802.1q tagging on the F1 interface? 

  • 0 in reply to Poddy

    You have the same address range on the VLAN as well as the physical interface.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi, thank you for your input. I sense there is an obvious point you are trying to make, but unfortunately, it is not clear to me at this stage in life. Could you kindly break it down for me, why is it an issue? 

  • 0 in reply to Poddy

    Very simply, the XG does not know which interface to send the traffic to eg routing confusion..

    ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Ok, after a short session of hair-pulling, here is what I got. 

    1.) Leave the F1 interface on XGS2100 alone, don't assign any IP to it just yet. 

    2.) Creare a virtual interface (Network > Add Interface > Add VLAN)

     - fill out the details, I used 10.xxx.xxx.2 for the virtual IP in this particualr instance. 

     - I just used the physical "Port 1" interface while creating this virtual interface

    3.) Create a Bridge interface (Network > Add Interface > Add Bridge)

    - and use the VLAN and the Fiber F1 ports to create a bridge. 

    - using the GW IP address 10.xxx.xxx.1

    - in my mind, the "Bridged interface" becomes the "Gateway"

    - there is a "VLAN" section inside the "Add bridge" config, where it allows for VLAN ID be added - not too sure what this does yet, but I will update this section once I figure it out. 

    4.) Lastly, add an "Alias" interface to the Gateway "bridge" to allow for the particular VLAN GW IP to be reachable on the network. 

    - Network > Add Interface > Add Alias

    - and use the 10.xxx.xxx.1 IP

    This can be repeated for a lot of VLANs. My current assignment has got exatly 35 VLANs that will need a GW, so there is a lot of clicking involved. I wonder if there is a CLI command to create/modify this bridge relatiosnhip. 

Unfiltered HTML