Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installing Sophos XG v20 Firewall home edition and SETTING up ALL ports as a router

Hi, I have gone through a fair bit of posts and how-to online, so I decided to post the question here, after 5 days researching this.

----------------------

My setup:

Motherboard with 1 built-in 1000mb/s ethernet port, 2x PCI-e cards HP NIC 2 ports each at 2500mb/s, 3x PCI-e cards 1 port each at 1000mb/s (totalling 8 ethernet ports)

Install went through completely fine, I used the recommended security settings from initial wizard.

What do I have now: 1 HP NIC card has the WAN port and LAN port working ok.

----------------------

What I don't get: all other ports are showing in the UI interface, I have tried dhcp and fixed IP under networking, also same and different masking. but I get no internet access when I plug a cable into one of them

----------------------

What I would like:

What is the simplest way, as little configuration as possible, to have all ports working, ideally in the same range as LAN1 172.16.16.16 so that I can have internet access in all 7 ports in a plug-and-play mode.

----------------------

I have read a lot about bridge mode, not too sure if I need that on WAN or the working LAN1.

Could someone kindly let me know the easiest way to achieve that?

I'll work my way up, learning this platform, it will be quite a learning curve as there's so many features inside the software that I got overwhelmed just reading to sort this initial issue.

Anyway thanks in advance.



This thread was automatically locked due to age.
Parents
  • It sounds like you have alot of unsupported NIC's, what chipsets are they using?

    Sophos XG Engineer

    Sophos Silver Partner

  • I doubt that, as they are all recognized in the Sophos application. Also I have 2 NICs intel hp branded. one works fine the other connects (changes from unplugged to plugged) but still not finding my way to create a standard router gateway options. Works continues. I might try another reset (re-installation and start from beginning)

    My ISP provides internet via ethernet socket in the wall. So I'm not using any modem or switch before the sophos.

    Not at home now, but they are all new cards, purchased within the past 6 months.

    2x cards are: AXAGON  NIX PCIe 2.0, Gigabit Ethernet, Realtek RTL8111L, 1xRJ-45 

    2x cards are HP Intel PCIe  server dual port (will update model soon)

    1x internal motherboard ethernet Realtek RTL8111H ASUS LAN Guard

    1x intel pcie single port 1gbs (will update model soon)

  • The default setting for xg is router close where you can setup a bridge but you need firewalls to allow traffic between each leg of the bridge it is not a normal router.
    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • hi, yes I understand the rules that needs to be setup to allow traffic. The only problem I see on the bridge mode is that it limits some functionalities of the Sophos as explained in the video above.

    Ideally I would like all ports to have complete functions of the software. It's quite simple 1 WAN, 7 LANs ... all with internet access either with fixed or dhcp access.

    But still on setting up, let's see what happens.

  • --------------- UPDATE ---------------  

    2x cards are: AXAGON  NIX PCIe 2.0, 1Gb/s Ethernet, Realtek RTL8111L, 1xRJ-45 (2 ports)

    2x HP Intel PCIe D28207-006 Dual 1Gb/s Port - UPDATED (4 ports)

    1x Internal Asus Prime B450-PLUS Motherboard 1Gb/s Ethernet Realtek RTL8111H ASUS LAN Guard (1 port)

    1x HP Intel Ethernet I210-T1 1Gb/s NIC (E0X95AA) - UPDATED (1 port)

    Total = 8 PORTS

    --------------- --------------- ---------------

  • Ok, simplest method would be to create a bridge of all the ports you want, I would suggest you bridge all the other ports first that are available into Br0 and then leave the first LAN port you have setup for management, that way if the system does have any issues setting up the bridge you don't end up with no access, you can then assign the bridge interface a static IP on its own range, setup a DHCP server and you should have internet access based on default rulesets

    Sophos XG Engineer

    Sophos Silver Partner

  • That's a brilliant idea, will follow that and see where it leads me. I've done about 5 installations today alone, trying things out and loosing access to the UI interface.

Reply Children
  • ok, let's update this post after 15 hours working on this.

    Got all ports working (not on same range, as bridge did not work, yet), but they all work with the following configuration

    -----------------------------

    STEP 0: Set each port as ipv4 and a static ip address, and subnet mask. i.e. 172.16.17.17 / 255.255.255.0

    STEP 1: Create a DHCP server host with the ip in range of the port. (in my case I have each port with a static ip address i.e. 172.16.16.16, 172.16.17.17, 172.16.18.18 ... etc)

    STEP 2: Create 2x firewall rules, one for inbound DHCP and other for outbound DHCP. for the inbound add the server host created on step 1, to the source network and devices.

    STEP 3: Look for the "Default SNAT IPv4" where there's already port2(LAN) there, just edit and add all the other ports. (not too sure if this step is necessary as I could still get some traffic when turned off, but it's ON just in case.

    STEP 4: Go to DHCP and create new one, just like the "DEFAULT_DHCP_SERVER" in my case I did one for each port. i.e. name:dhcp_port3, Port3 - 172.16.17.17 -  range: 172.16.17.18 - 172.16.17.254

    -----------------------------

    That's it, at the moment I got all ports working. But wasn't that straight forward. I'll update once I can get them all in the same range talking to each other, let's say to share DLNA or Chromecast within all the ports.

    It's not stable, well at least in my tests, sometimes it doesn't connect straight away (30 seconds to get internet access) Now this i'm not sure if it's the ACPI of the motherboard, although I turn everything to be ON and no standby what-so-ever.

    -----------------------------
    What's next, get them all in one ip range. (but this will have to wait, got other projects going on at same time) If anyone knows what's going on here, please let me know.

  • Hi,

    before you continue too far, I would like to suggest you investigate using the XG as a router and the functions it has.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I have some bids on a 115 and 135 already.  Although the new XGS is very appealing, but price still too high atm.

    Just need to investigate the difference on software. I want to install the home edition software on it. Don't wanna pay a license until I figure out if it's the chosen brand.

  • Home edition software on an xgs will not get you the additional functionality.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • alright, I'll continue with the 115 or 135 and do the tests.

  • You should create a bridge interface (that is not the same as using Sophos in bridged mode).

    The bridge interface is a logical interface with an IP-address and subnet mask and it binds multiple physical interfaces together.

    If you first create your normal LAN interface from the wizard as you have already done and do not touch the other physical interfaces, then next step you can create a bridge interface where you can select all ports that need to be bridged together (I suspect you want all ports except the WAN port).

    This way you only need 1 DHCP-server for the bridge interface and only 1 interface to setup (the bridge interface).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Alright, looks simpler than done. I'll try that again. I tried once with LAN1 and LAN3, I lost access to the web interface, and for the life of me, could not get back. Had to re-install.

    But hei, let's try again, I'll update once it's done.

    I remember the interfaces that gets bridged disappears, and a new name comes up in the interfaces (with the joint chosen ones)