Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge with 2 lan and connection problem between 2 hosts on same vlan

Hi all,

i installed Sophos on hyper-v (vm) with 3 NIC:

- NIC-A “LAN” (physical nic on server)

- NIC-B “WAN” (physical nic on server)

- NIC-C “LAN” (private virtual switch hyper-v)

I’ve created Bridge with NIC-A and NIC-C, with "enable routing on this bridge pair" and "permit ARP broadcast".

On the Bridge I’ve created vlan.

If:

- host-A (real pc) is on physical switch (attached NIC-A) on vlan10 (example)

- and host-B (vm) is on physical switch (attached NIC-A) on vlan10 (example)

ping works.

If:

- host-A (real pc) is on virtual switch (attached NIC-C) on vlan10 (example)

- and host-B (vm) is on virtual switch (attached NIC-C) on vlan10 (example)

ping works.

If:

- host-A (real pc) is on physical switch (attached NIC-A) on vlan10 (example)

- and host-B (vm) is on virtual switch (attached NIC-C) on vlan10 (example)

the host-A cannot ping host-B and host-B cannot ping host-A.

If i changed vlan on one of two host the ping works.

I’ve checked  "Enable MAC address spoofing" on hyper-v 3 interfaces.

On diagnostic/ packet capture i have 0 log (0 packet arrival on firewall, miss on arp host-A the mac address for the host-B and viceversa)

On network / neighbors (ARP-NDP) i have the host-A MAC address and the host-B MAC address

On host-A I have host-B incomplete MAC address (arp -a)

On host-B I have host-A incomplete MAC address (arp -a)

I’ve already created LAN-LAN and VLAN-VLAN rule (maybe the firewall rule is not the problem).

Can you help me? =)

Really thanks



This thread was automatically locked due to age.
Parents
  • Likely this is a problem with the hyper-v config. Hyper-v is tricky in terms of VLAN configuration. You should check the documentation of Hyper-V as: If you do not see anything in packet capture, the firewall is not getting the packet, this is a hyper-V problem. 

    __________________________________________________________________________________________________________________

  • I've checked the hyper-v config and I think is ok.

    On the firewall, network, neighbors, show ipv4 neighbor cache I have hostA (Mac address ok) and hostB (Mac address ok).

    Only on the arp table  hostA miss Mac hostB and viceversa.

    If I ping HostA and Host B from Firewall (diagnostics, ping with correct vlan interface) the ping works fine.

    If the problem is hyper-v config vlan I think cannot ping from firewall, or? :-\

Reply
  • I've checked the hyper-v config and I think is ok.

    On the firewall, network, neighbors, show ipv4 neighbor cache I have hostA (Mac address ok) and hostB (Mac address ok).

    Only on the arp table  hostA miss Mac hostB and viceversa.

    If I ping HostA and Host B from Firewall (diagnostics, ping with correct vlan interface) the ping works fine.

    If the problem is hyper-v config vlan I think cannot ping from firewall, or? :-\

Children
No Data