Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 42 subscribers
  • Views 2153 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Docker L3 network routing notworking Sophos XG fireall

Opizol

Hello!

I'd like to ask for your help, I've been using this great firewall for several years, but now I'm stuck.
I have a small network at home in which I installed a docker host for testing purposes.
I have found the best way to allow the docker containers to access the home network is to configure the docker network to create an L3 network.
The LAN-->LAN firewall rule is created, the routing table is created, but from the docker container I can only ping the firewall IP address, no other hosts from the home network.

The return path works fine so I can reach containers from any host at home.
Another interesting thing is that when I ping one of the hosts in my home network from the container, the reply back is stuck, so the host's reply is thrown away by the firewall. But if I ping the same container from the same host, the response arrives fine, the firewall when pinging any host from the container it writes ICMP packets with invalid ICMP type/code.  

Please help.



This thread was automatically locked due to age.
Parents
  • 0

    Can you give us a network diagram? Doesn’t need to be an artwork.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi!

    Thank you for your help as requested here with the initial chart:  

    Network Diagram

  • 0 in reply to Opizol

    Does the VLAN appear on the XG?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi!

    There is no VLAN. The debian running the docker does not have a separate VLAN and that's why the docker creates an L3 network. The container can reach the firewall but nothing else. A ping request from the container goes to the host, but back to the firewall, the firewall will prevent the ping from coming back.
    For example:
    I ping the IP 10.20.55.55 from the ip 192.168.245.250 then I see this in the firewall logs:

  • +1 in reply to Opizol

    Hi  As you updated "A ping request from the container goes to the host" -  Are you able to see this ICMP request on XG Firewall or not? OR Directly ICMP reply packets only you are observing on Firewall..!! 

    I mean I just wanted to confirm hope it is not an asymmetric routing scenario due to which the firewall is not allowing the reply packets routed via it..!  (This means your ICMP request are routed directly from container to host from Vswitch and when the host generated an ICMP reply that is routed via the firewall, being Firewall as in GW IP - which crates asymmetric routing scenarios on the firewall as the firewall does not have that ICMP request packetes routed via it..! ) 

    If it is an asymmetric routing scenario then try to avoid it and if it is still needed then it will be required to add a stateful bypass inspection rule in XG CLI.

    Sophos Firewall/Sophos UTM: Identify an asymmetric routing design condition
    https://support.sophos.com/support/s/article/KB-000038267?language=en_US

    For bypassing stateful inspection command can be found in the below guide and if that is the scenario then to test it you may first try by adding the host-to-host rule to bypass it from stateful inspection and if this allows communication then you may later on replace bypass rule with network as per need.

    https://support.sophos.com/support/s/article/KB-000044309?language=en_US

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • +1 in reply to Opizol

    Hi  As you updated "A ping request from the container goes to the host" -  Are you able to see this ICMP request on XG Firewall or not? OR Directly ICMP reply packets only you are observing on Firewall..!! 

    I mean I just wanted to confirm hope it is not an asymmetric routing scenario due to which the firewall is not allowing the reply packets routed via it..!  (This means your ICMP request are routed directly from container to host from Vswitch and when the host generated an ICMP reply that is routed via the firewall, being Firewall as in GW IP - which crates asymmetric routing scenarios on the firewall as the firewall does not have that ICMP request packetes routed via it..! ) 

    If it is an asymmetric routing scenario then try to avoid it and if it is still needed then it will be required to add a stateful bypass inspection rule in XG CLI.

    Sophos Firewall/Sophos UTM: Identify an asymmetric routing design condition
    https://support.sophos.com/support/s/article/KB-000038267?language=en_US

    For bypassing stateful inspection command can be found in the below guide and if that is the scenario then to test it you may first try by adding the host-to-host rule to bypass it from stateful inspection and if this allows communication then you may later on replace bypass rule with network as per need.

    https://support.sophos.com/support/s/article/KB-000044309?language=en_US

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
Unfiltered HTML