XG appliance has no internet but LAN devices do

Hi,

do you have firewall rules in your router that allow the IP address assigned to the XG from your router out?

Ian

Hi and thank you for the suggestion. 

XG has static IP on bridge interface (I think it's required).

The bridge IP 192.168.100.111 is in the same subnet as my gateway 192.168.100.1

The gateway is ARRIS S33 and doesn't have any firewall rules or routing. 

I don't have any firewall rules pointing towards XG on my router because it's downstream from XG.

Is that a correct setup?

Thanks. 

Kindest regards,

Jakub 

Yes, it's a Spectrum ISP and I'm provided dynamic public IP address through that gateway. 

I have the following FW rules using a DHCPServer host set up with my gateway 192.168.100.1. I also left default rules.

1. DHCP Inbound - Accept

1.1 Linked NAT - everything set as Original

2. DHCP Outbound - Accept

2.2 Linked NAT - everything set as Original

3. "Example traffic to internal zones". If I turn it off it shuts off internet to LAN

4. "Example traffic to WAN"

5. #Default_Network_Policy

Scan for HTTP and decrypted HTTPS and use zero-day protection checked. 

5.1 Linked NAT with "Translated source SNAT set as MASQ

This NAT rule has the most Usage by far.

Thank you very much for your help.

If you only have one WAN interface you do not need a linked NAT which will cause you issues when debugging. Please show the definition of DHSP service?

Concentrate on  getting your outgoing working for the moment. What is the range of the WAN addresses (/xx) you have been supplied with by your ISP?

Ian

Thank you very much for your response. 

I have disabled all NAT rules and indeed my main LAN internet is still working fine. No change with XG - still can't ping outside of modem gateway.

I'm not certain if that's what you're looking for when asking about DHCP service. I don't have any entry in "Network/DHCP" menu as my bridge is static IP.

The only thing I've set up is DHCP server as IP host that is then referenced in firewall rules:

The 192.168.100.1 is my Arris S33 modem gateway.

The "Hosts and Service/Services" tab provides the following DHCP port setup. I can't edit it as far as I can tell

"System services/Services" menu shows the following under DHCP server

Regarding the WAN address, my setup is a residential cable internet by Spectrum. It's a dynamic IP and they provide absolutely nothing on their portal in terms of details. "whatismyip" site says my IP is within the following range

AS20115 24.151.0.0/16 CIDR and IP Range Summary

I hope that helps. Thank you again.

Kindest regards,

Jakub

So,

what address range doers your Arris modem handout and why are you using the modem a DHCP source when it is only a modem?

I recommend you use the XG in router mode and ignore your modem for providing any network security..

Ian

I followed the instructions I found for bridged interface within some Sophos KB and a couple of youtube guides. I really have a hard time understanding this as I'm not proficient in network engineering.

I thought that my dynamic IP comes somewhere from within Spectrum server and my Arris modem is the gateway. Thus I point traffic to that gateway and call it DHCP server (although I believe Arris is just a "dumb" signal converter and doesn't generate any IPs on its own. It just passes dynamic IP from Spectrum). 

I started with XG in router mode, and it worked fine on its own with PC connected directly to it but then when I connected it to my router, then it broke my router, which is Unifi UDM-SE, and nothing on LAN had internet. I learned that UDM can't be downstream of another router :-(

I really like UDM and don't want to get rid of it, so was hoping Bridged XG would provide me a sophisticated but "transparent" FW.

I messed around quite a bit and I think these are the issues with possible solutions that unfortunately I don't know how to execute:

1. XG in bridge mode with static IP

I think the issue is that the bridge has it's own IP. Bridge passes traffic from UDM 192.168.1.1 in fully transparent mode but then when I want to update firmware, or do something from within the XG, it introduces its own Bridge IP and Arris doesn't recognize it. Thus, I can't only ping as far as gateway.

Solution would be for the Bridge to "mimic" 192.168.1.1 but I don't know how.

2. XG in bridge mode with dynamic IP

Here the Wan Link Manager says the gateway is 128.0.0.1. Through modem resets I'm able to see an external dynamic IP here temporarily with correct gateway but then my UDM loses that IP and my LAN doesn't have internet. Almost like XG and UDM are fighting for that single IP.

Solution would be again to somehow mimic that Bridge as a part of LAN traffic under UDM. 

Not sure if my conclusions are correct but that's the only thing that makes sense to me. 

Hi,

you have just changed the configuration. The UDM provides the IP addresses not the modem. Please provide a diagram of the network setup. Your configuration sounds very similar to an earlier thread asking the same question using the same devices?

Ian

Not sure what the "order" of devices is now, but I think you should have the UDM as the first device after your internet setup (just as you had it without Sophos XG).
Then have the Sophos XG bridged in the UDM LAN environment and only then have all your devices behind the Sophos.

You can leave Sophos bridge as dynamic IP-address which it will request from UDM. Your clients will also get IP from UDM through Sophos.

Make sure to create firewall rules to allow traffic to flow through the bridge. To make it easy for testing define a rule to allow all traffic. Something like Source Zone: WAN, LAN; Destination zone: WAN, LAN; service: ANY; Allow. This way you simply allow all traffic over the Sophos interfaces both ways. If it then functions, you can start limiting traffic to suit your needs.

I'm sorry if I made some confusing statements. My most stable and current configuration we're trying to troubleshoot is per below. I tried to represent the best I could with green colors, where internet is present and red, where Internet is blocked.

Thank you for a response. I provided a network diagram below in response to question from rfcat_vk. 

If I place XG downstream from UDM, wouldn't that leave UDM "exposed"? I baselined this configuration based on other popular setup I see on Reddit: ISP > Modem > pfsense > UDM.

I really don't know, by expertise, what I'm doing here and understand only based at high level thanks to ton of hours browsing this forum.

I created such "open" firewall rule you've mentioned. I also disabled as many "protections" as I could find for this troubleshooting: IPS off, malware off, web filtering off etc.

Just for clarity, my router and the entire LAN has internet, only XG can't access internet as identified itself by lack of ability to update firmware, service patterns, update time via NTP server, or ping to 8.8.8.8, 1.1.1.1 or any other external IP. My concern with this is that I won't be able to update any AntiVirus definitions etc.

What is interesting, in Diagnostic "Policy test" the result is "Accepted" for any of the above DNS IPs or any external IP addresses I've tested.

Ok, this made me try something. 

I added a new XG Port 4 interface as WAN, set it as dynamic IP and connected it to UDM LAN connection (similar to Port 1). Everything else stayed the same as in the diagram.

Port 4 got local 192.168.1.x ip immediately and to my surprise I was now able to Ping through that interface external IP addresses from within Diagnostics, however, firmware update, patterns, clock etc still didn't work.

Also, none of the other ports were able to ping external, only the new Port4. 

LAN under UDM still worked fine so that seemed promising. 

Is such configuration a problem? 

Which interface XG is using for firmware updates etc? If this configure is OK, is there a way to force XG to use Port4 for administrative software updates?

Thank you all for your help. 

Ok, this made me try something. 

I added a new XG Port 4 interface as WAN, set it as dynamic IP and connected it to UDM LAN connection (similar to Port 1). Everything else stayed the same as in the diagram.

Port 4 got local 192.168.1.x ip immediately and to my surprise I was now able to Ping through that interface external IP addresses from within Diagnostics, however, firmware update, patterns, clock etc still didn't work.

Also, none of the other ports were able to ping external, only the new Port4. 

LAN under UDM still worked fine so that seemed promising. 

Is such configuration a problem? 

Which interface XG is using for firmware updates etc? If this configure is OK, is there a way to force XG to use Port4 for administrative software updates?

Thank you all for your help. 

If port 4 is your WAN port then that is what the XG will use. You need to check the settings on your UDM as it appears to be blocking the XG from accessing the Sophos update sites.

Ian

Thank you very much for the prompt response. 

There are two WAN ports in this test config:

Port 2 WAN (part of the bridge per diagram above) 

Port 4 WAN port for the test that can ping external ip successfully 

Is XG going to use both, and then fall back to whichever can access external resources with?

I couldn't find any settings that would relate to update. Any suggestion on where to look? 

You will need to setup SD-WAN rules and I am not sure about fallback in bridge mode.

Ian

Folks, it is working!

I've updated the diagram below for someone's future reference.

I've indeed created a SD-WAN route, with all fields as "Any" and Primary gateway pointing towards UDM 192.168.1.1.

Backup gateway None.

Firmware, patterns, clock update just fine. Everything on XG and LAN appear to be working correctly. :-D

On UDM I've all the stats, connection list etc. 

On XG I don't see any Liveuser info but I do see all the Liveconnections, domains, reports etc. so I'm hoping protections are working.

I have one last question. 

Can I remove the Port 4 WAN, make Port 1 WAN and still access Sophos Control center? It'd save me a port on UDM but I'm a little hesitant because if I understand it correctly, I need to then configure some admin services on WAN zone to access Sophos control center? That would then also expose my Bridge-Port2 to outside world as well, correct? Is that a concern?

Thank you everyone. I can't relay how many hours and nights I've spent on this and how helpful your suggestions and information within this larger forum have been. As far as I can tell, this working setup with UDM has not been documented anywhere.

I truly appreciate your patience with me and my newb questions. 

Kindest regards,

Jakub

lol, so maybe something is still broken. Not sure if that's an issue at all but looking at the firewall rules and log, I've no incoming traffic, WAN to LAN at all, only outgoing. I'm not sure why that is, because clearly I've kids streaming movies at the moment, but to my surprise my DHCP Inbound rule has 0GB.

Hi,

all traffic will be on the outgoing rule because the DHCP requested are instated internally. Your inbound rule will not carry traffic.

Ian

Hello,

Since the traffic is not initiated externally but internally, the rule WAN to LAN will not be triggered, that rule will only be triggered according to your rule if traffic is DHCP.

Regards,

Thanks, is there a way to separate the two? 

Meaning, whatever originates from within UDM to go out directly through Bridge as Outgoing rule and only the XG Originating traffic (the updates etc) going through Port 4 to be a part of "internal" traffic?

I'm a bit worried to mess with it a bit as I'm operating by "brute force" try it and see if it works or breaks.

Thank you again, I'm so excited we got this to work.