Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge with 2 lan and connection problem between 2 hosts on same vlan

Hi all,

i installed Sophos on hyper-v (vm) with 3 NIC:

- NIC-A “LAN” (physical nic on server)

- NIC-B “WAN” (physical nic on server)

- NIC-C “LAN” (private virtual switch hyper-v)

I’ve created Bridge with NIC-A and NIC-C, with "enable routing on this bridge pair" and "permit ARP broadcast".

On the Bridge I’ve created vlan.


- host-A (real pc) is on physical switch (attached NIC-A) on vlan10 (example)

- and host-B (vm) is on physical switch (attached NIC-A) on vlan10 (example)

ping works.


- host-A (real pc) is on virtual switch (attached NIC-C) on vlan10 (example)

- and host-B (vm) is on virtual switch (attached NIC-C) on vlan10 (example)

ping works.


- host-A (real pc) is on physical switch (attached NIC-A) on vlan10 (example)

- and host-B (vm) is on virtual switch (attached NIC-C) on vlan10 (example)

the host-A cannot ping host-B and host-B cannot ping host-A.

If i changed vlan on one of two host the ping works.

I’ve checked  "Enable MAC address spoofing" on hyper-v 3 interfaces.

On diagnostic/ packet capture i have 0 log (0 packet arrival on firewall, miss on arp host-A the mac address for the host-B and viceversa)

On network / neighbors (ARP-NDP) i have the host-A MAC address and the host-B MAC address

On host-A I have host-B incomplete MAC address (arp -a)

On host-B I have host-A incomplete MAC address (arp -a)

I’ve already created LAN-LAN and VLAN-VLAN rule (maybe the firewall rule is not the problem).

Can you help me? =)

Really thanks

This thread was automatically locked due to age.
  • Likely this is a problem with the hyper-v config. Hyper-v is tricky in terms of VLAN configuration. You should check the documentation of Hyper-V as: If you do not see anything in packet capture, the firewall is not getting the packet, this is a hyper-V problem. 


  • I've checked the hyper-v config and I think is ok.

    On the firewall, network, neighbors, show ipv4 neighbor cache I have hostA (Mac address ok) and hostB (Mac address ok).

    Only on the arp table  hostA miss Mac hostB and viceversa.

    If I ping HostA and Host B from Firewall (diagnostics, ping with correct vlan interface) the ping works fine.

    If the problem is hyper-v config vlan I think cannot ping from firewall, or? :-\