Setup
Sophos XG 330: LAN Port 9 10.0.0.248/24 LAN Port 9.8 10.0.8.248/24 FIREWALL RULE: LAN any - LAN any ALLOW Port 9 plugged in Switch port 24 Layer3 Switch: VLAN 0 10.0.0.1/24 VLAN 8 10.0.8.1/24 Port 24 Trunk ALLOW ALL VLAN Port 1 VLAN=0 Port 2 VLAN=8
PC1: IP 10.0.0.222/24 Gateway 10.0.0.248 <- Sophos is the Gateway here. Plug in Switch Port 1 PC2: IP 10.0.8.222/24 Gateway 10.0.8.1 <- Layer3 Switch is the Gateway here. Plug in Switch Port 2 In this config, PC1 can ping PC2, but PC2 CAN'T ping PC1On the log I have : ICMP packets with invalid ICMP type/code.
If I swap both gateway on the PCs to either same it works it doesn't matter which one I choose.
It's when they are mismatch that I have this issue. And for my used case, I need it to be able to be mismatch.
This setup works in my Sophos SG 330... That will be EOL soon...
Hello there,
Thank you for contacting the Sophos Community.
Because of how your traffic is flowing, you might have asymmetric routing.
Try running the following command from the Advanced Shell of the Sophos…
Try running the following command from the Advanced Shell of the Sophos Firewall (5>3)
set advanced-firewall bypass-stateful-firewall-config add source_network xxx.xxx.xxx.xxx source_netmask xxx.xxx.xxx.xxx dest_network xxx.xxx.xxx.xxx dest_netmask xxx.xxx.xxx.xxx
The above would bypass the entire network, if you’re looking to do the bypass for only specific hosts, you can run
set advanced-firewall bypass-stateful-firewall-config add source_host x.x.x.x dest_host x.x.x.xNote: After running this command, the XG will only do the routing for these packets; no other feature can be enforced.
Regards,
The command worked!!! but not in [5>3] but in [4] Console.
It's a long process because I had to write a line for both ways
set advanced-firewall bypass-stateful-firewall-config add source_network 10.0.4.0 source_netmask 255.255.255.0 dest_network 10.0.0.0 dest_netmask 255.255.255.0
set advanced-firewall bypass-stateful-firewall-config add source_network 10.0.0.0 source_netmask 255.255.255.0 dest_network 10.0.4.0 dest_netmask 255.255.255.0
For each VLAN that the Sophos has you have to write both line for each pair of VLANs. So it's a n(n+1)/2 senario, if you have 9 VLANs you have 45 lines.
Furthermore, If you have remote switches with their own local VLANs, and that switch is the gateway for the clients on that VLAN. So you have to write one line (the return ping line) for every VLAN that the Sophos has, so if your remote vlan is 10.0.20.0:
set advanced-firewall bypass-stateful-firewall-config add source_network 10.0.0.0 source_netmask 255.255.255.0 dest_network 10.0.20.0 dest_netmask 255.255.255.0
set advanced-firewall bypass-stateful-firewall-config add source_network 10.0.4.0 source_netmask 255.255.255.0 dest_network 10.0.20.0 dest_netmask 255.255.255.0
So if your remote switch has 5 remote VLANs and you have 8 VLANs local to your Sophos, you have 40 Lines just for that remote switch. If you have 7 remote switches with 2 to 10 VLANs... Well you better make a draft in a Text file and copy and paste