Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG appliance has no internet but LAN devices do

Hello,

I've Sophos XG installed in between ISP modem and router. The XG in bridge mode with LAN and WAN bridged together.

The router and LAN all have internet access. 

However, Sophos XG doesn't - what I mean by that I can't update firmware for instance (or update clock using server), or ping using Diagnostics menu anywhere further than ISP modem/gateway. I can't ping 8.8.8.8, or any other outside IP. All packets are lost. There also seems to be no indication in Log as rejected traffic.

I used various DNS settings in Network, 1.1.1.1, 8.8.8.8, 127.0.0.1. 

LAN has DNS service checked and DNS service is running under System Services. 

I tried factory reset several times and noticed that in router mode XG is fine, updates firmware etc but as soon as I put in in Bridge mode I can't resolve DNS address during initial installation, need to continue offline and can't fix that later on.

Any suggestions would be appreciated. 

Thank you very much. 



This thread was automatically locked due to age.
Parents
  • Hi,

    do you have firewall rules in your router that allow the IP address assigned to the XG from your router out?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi and thank you for the suggestion. 

    XG has static IP on bridge interface (I think it's required).

    The bridge IP 192.168.100.111 is in the same subnet as my gateway 192.168.100.1

    The gateway is ARRIS S33 and doesn't have any firewall rules or routing. 

    I don't have any firewall rules pointing towards XG on my router because it's downstream from XG.

    Is that a correct setup?

    Thanks. 

    Kindest regards,

    Jakub 

  • Not sure what the "order" of devices is now, but I think you should have the UDM as the first device after your internet setup (just as you had it without Sophos XG).
    Then have the Sophos XG bridged in the UDM LAN environment and only then have all your devices behind the Sophos.

    You can leave Sophos bridge as dynamic IP-address which it will request from UDM. Your clients will also get IP from UDM through Sophos.

    Make sure to create firewall rules to allow traffic to flow through the bridge. To make it easy for testing define a rule to allow all traffic. Something like Source Zone: WAN, LAN; Destination zone: WAN, LAN; service: ANY; Allow. This way you simply allow all traffic over the Sophos interfaces both ways. If it then functions, you can start limiting traffic to suit your needs.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I'm sorry if I made some confusing statements. My most stable and current configuration we're trying to troubleshoot is per below. I tried to represent the best I could with green colors, where internet is present and red, where Internet is blocked.

  • Thank you for a response. I provided a network diagram below in response to question from rfcat_vk. 

    If I place XG downstream from UDM, wouldn't that leave UDM "exposed"? I baselined this configuration based on other popular setup I see on Reddit: ISP > Modem > pfsense > UDM.

    I really don't know, by expertise, what I'm doing here and understand only based at high level thanks to ton of hours browsing this forum.

    I created such "open" firewall rule you've mentioned. I also disabled as many "protections" as I could find for this troubleshooting: IPS off, malware off, web filtering off etc.

    Just for clarity, my router and the entire LAN has internet, only XG can't access internet as identified itself by lack of ability to update firmware, service patterns, update time via NTP server, or ping to 8.8.8.8, 1.1.1.1 or any other external IP. My concern with this is that I won't be able to update any AntiVirus definitions etc.

    What is interesting, in Diagnostic "Policy test" the result is "Accepted" for any of the above DNS IPs or any external IP addresses I've tested.

  • Ok, this made me try something. 

    I added a new XG Port 4 interface as WAN, set it as dynamic IP and connected it to UDM LAN connection (similar to Port 1). Everything else stayed the same as in the diagram.

    Port 4 got local 192.168.1.x ip immediately and to my surprise I was now able to Ping through that interface external IP addresses from within Diagnostics, however, firmware update, patterns, clock etc still didn't work.

    Also, none of the other ports were able to ping external, only the new Port4. 

    LAN under UDM still worked fine so that seemed promising. 

    Is such configuration a problem? 

    Which interface XG is using for firmware updates etc? If this configure is OK, is there a way to force XG to use Port4 for administrative software updates?

    Thank you all for your help. 

  • If port 4 is your WAN port then that is what the XG will use. You need to check the settings on your UDM as it appears to be blocking the XG from accessing the Sophos update sites.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you very much for the prompt response. 

    There are two WAN ports in this test config:

    Port 2 WAN (part of the bridge per diagram above) 

    Port 4 WAN port for the test that can ping external ip successfully 

    Is XG going to use both, and then fall back to whichever can access external resources with?

    I couldn't find any settings that would relate to update. Any suggestion on where to look? 

  • You will need to setup SD-WAN rules and I am not sure about fallback in bridge mode.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Folks, it is working!

    I've updated the diagram below for someone's future reference.

    I've indeed created a SD-WAN route, with all fields as "Any" and Primary gateway pointing towards UDM 192.168.1.1.

    Backup gateway None.

    Firmware, patterns, clock update just fine. Everything on XG and LAN appear to be working correctly. :-D

    On UDM I've all the stats, connection list etc. 

    On XG I don't see any Liveuser info but I do see all the Liveconnections, domains, reports etc. so I'm hoping protections are working.

    I have one last question. 

    Can I remove the Port 4 WAN, make Port 1 WAN and still access Sophos Control center? It'd save me a port on UDM but I'm a little hesitant because if I understand it correctly, I need to then configure some admin services on WAN zone to access Sophos control center? That would then also expose my Bridge-Port2 to outside world as well, correct? Is that a concern?

    Thank you everyone. I can't relay how many hours and nights I've spent on this and how helpful your suggestions and information within this larger forum have been. As far as I can tell, this working setup with UDM has not been documented anywhere.

    I truly appreciate your patience with me and my newb questions. 

    Kindest regards,

    Jakub

  • lol, so maybe something is still broken. Not sure if that's an issue at all but looking at the firewall rules and log, I've no incoming traffic, WAN to LAN at all, only outgoing. I'm not sure why that is, because clearly I've kids streaming movies at the moment, but to my surprise my DHCP Inbound rule has 0GB.

  • Hi,

    all traffic will be on the outgoing rule because the DHCP requested are instated internally. Your inbound rule will not carry traffic.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    all traffic will be on the outgoing rule because the DHCP requested are instated internally. Your inbound rule will not carry traffic.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data