Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 3376 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG in bridge mode with vlans

stego

I'm running Peplink router with 2 POE APs, multiple SSIDs and Vlans.

Deployed Sophos XG in bridge mode between the Peplink router, and POE switch. WAN/LAN connections from the Sophos are both connected to trunk ports (any vlan).

My bridge interface is configured like the following:

Firewall rules:

Linked to Nat rule #2:

Sophos Central no issue seeing and connecting to the firewall...

At first, my wifi devices were working, but then noticed appletvs with no connection and some wifi devices getting disconnected.

Noticed AppleTv traffic blocked in FW incoming ...

Any tips or advice?



This thread was automatically locked due to age.
  • 0

    Hi,

    1/. delete the mail rule, that is an open relay.

    2/. delete the linked nat rule

    3/. you do not need a wan to lan DHCP server rule because all traffic to the DHCP server is orignated from your lan.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 waiting for licence to installed - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Good point about the inbound allow on DHCP. 

    #2 delete? These nat rules were put in when I configured the bridge using the setup wizard. Do you mean unlink it from the fw rule?

    still have to figure out why my Apple TV packets are being dropped on entry. I’ll look into it further. 

  • +1 in reply to stego

    Hi,

    linked NAT rules are usually only required if you have multiple gateways and using SD-WAN features.

    Most apple applications need to have no web proxy or DPI functions attached to them. All my Apple applications etc come through a rule that does not use the web proxy, I havre application and IPS rules. Initially you will need to allow all services to your apple devices while, you workout which ports are actually required, then tighten your access rules to limit access to those ports for your apple devices.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 waiting for licence to installed - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    FYI... still needed WAN to LAN rule for DHCP... clients getting DHCP connect error otherwise.

    As for NAT rule, deleted the linked NAT rule, and replaced with the following:

    If I undertsand NAT and bridge mode, NAT is still required, but you do not want or need to MASQ the source going out, since it's still within the LAN.

  • 0 in reply to stego

    With the DHCP you will see errors because it is a broadcast. The internal devices initiate the call so you should not need a WAN to LAN DHCP rule. Please check there logviewer and show the error messages.

    'Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 waiting for licence to installed - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML