Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem configuring Sophos NGFW via Proxmox

Hi!
I have a problem that I can't deal with.

I have an HP 600 G3 Mini. There is one built-in network card. I bought an additional Ethernet network card connected via USB. Sophos itself does not support USB network cards from what I can see, but Proxmox was supposed to be a workaround.

I installed Proxmox. I installed Sophos on a virtual machine. But I can't configure the network interfaces in it. Below is a diagram of my network for better understanding (paint pro, no laughing matter :):

The Internet is provided by the ISP to the Nokia ONT set in bridge mode. Authentication and IP address assignment takes place on the ONT. Nokia is connected to a Mercusys router, which currently has DHCP enabled and is operating in router mode. After implementing the Sophos Firewall, I realized that the HP 800 G3 Mini must be connected between the ONT and the Mercusys router, the connection marked in red in the diagram. The cable from the ONT goes to one of the network cards in the HP, which acts as WAN, and the cable from the HP goes to the port, e.g. LAN1 in the Mercusys router, which acts as LAN. At the same time, I turn off DHCP on Mercusys because I want Sophos to act as a DHCP server and operate in router mode, not bridge mode.

Configuration in Proxmoc as in the screenshot below:

and Sophos virtual machnie network configuration:

After installing Sophos, I change the IP of my laptop to 172.16.16.2 to connect to 172.16.16.16 and there is no problem here. I manage to access Sophos via the web. Unfortunately, I don't know how to configure it further. I set the Sophos LAN to 192.168.0.1 - it should work as a gateway, but it never works. Either there is a connection error during configuration or even if the LAN works, there is no way out to the world.

I don't know how to set my configuration so that Sophos receives the IP address assigned by the ISP on the WAN port from the ONT (the address is variable, public). I tried changing card settings from Proxmox, reconnecting cables between network cards, setting different IP addresses according to the guides on YT, but nothing works. I don't know where I'm making a mistake.

Help pls :)



This thread was automatically locked due to age.
Parents
  • In your proxmox screenshot it looks like your external usb nic is in vmbr1 which you have named WAN in proxmox. In you drawing however you have the internal nic connected to the ONT (WAN). Maybe it should be switched or maybe you made a drawing error.

    So be sure to use the correct NICs as LAN and WAN first. You connected correctly to 172.16.16.16 so that is what Sophos itself thinks is the LAN side.

    Next, usually on setup, the Sophos WAN interface will default to DHCP mode. That could be correct, but a lot of ISPs need to be configured with PPPoE, so be sure that you configure the correct setup needed for your ISP.

    If your ISP hands out DHCP-addresses and your equipment should request DHCP address, then it might have "stored" the MAC-address from the Mercusys router and not hand out IPs to other MAC-addresses. Either try to power-cycle the ONT and try again, or configure the MAC-address of your WAN-card in Sophos firewall to be the same as the MAC-address of the Mercusys router's WAN port and try again.

    Let us know if this brings you anywhere.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • In your proxmox screenshot it looks like your external usb nic is in vmbr1 which you have named WAN in proxmox. In you drawing however you have the internal nic connected to the ONT (WAN). Maybe it should be switched or maybe you made a drawing error.

    So be sure to use the correct NICs as LAN and WAN first. You connected correctly to 172.16.16.16 so that is what Sophos itself thinks is the LAN side.

    Next, usually on setup, the Sophos WAN interface will default to DHCP mode. That could be correct, but a lot of ISPs need to be configured with PPPoE, so be sure that you configure the correct setup needed for your ISP.

    If your ISP hands out DHCP-addresses and your equipment should request DHCP address, then it might have "stored" the MAC-address from the Mercusys router and not hand out IPs to other MAC-addresses. Either try to power-cycle the ONT and try again, or configure the MAC-address of your WAN-card in Sophos firewall to be the same as the MAC-address of the Mercusys router's WAN port and try again.

    Let us know if this brings you anywhere.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • I corrected the network card settings. Now the LAN works fine and DHCP distributes addresses correctly. You can see customers on the Sophos side. Only for Port2 WAN DHCP is unable to obtain the address and in fact, the problem must be obtaining the IP address from the WAN port.
    When I connect the cable to the LAN1 port in the ONT directly to the laptop, I get an IP address from the blind subnet 169.254.x.x.

    However, the same LAN1 connected to the Mercusys router causes the router to receive the IP address, gateway and DNS from the ISP, and the output to the world works properly. The router has several WAN connection modes:

    - Static IP
    - Dynamic IP
    -PPPoE
    - L2TP
    -PPTP

    The default setting is "Dynamic IP" -> I assume this is the equivalent of DHCP for WAN on the Sophos side. The MAC address is set to the Router's MAC address, cloning is disabled, so there is no MAC authentication with the ISP. But I will try to do the two things you mentioned - first, restart the ONT to clear the data, and if that doesn't help, set the MAC address in Proxmox for WAN that the router uses to connect to the ONT from the ISP.

    If PPPoE was required, the router itself would probably not work either. Unfortunately, the ISP will not provide login details. So fingers crossed that's not the case. I'll let you know what happens :) Thank you!

    Edit: amazing, restarting didn't help, but setting the MAC address of the Mercusys router in the Port2 - WAN settings on the Sophos side resulted in obtaining an IP address from DHCP from the operator. Now everything works. That's stupid, I didn't think of that... Thank you very much for this advice! Now I can start having fun and learning :)