Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Sophos Firewall Home Edition v20 with Sky ISP - DHCP Issue on WAN interface

Hi.

I am having what seems a very basic issue getting my WAN connection connected to Sophos Home Firewall version 20, I'm hoping someone can help?

I've found various posts regarding this over the years but am still unclear exactly why it's still an issue, and why it's not been resolved, so thought I'd post with as much info as possible to see what I've missed, as I'm sure there must be a fix?

Notes:
This configuration works fine with pfsense and opnsense using Sky ISP, so I would expect this to work with Sophos (or my expectatations of Sophos are too high) Slight smile

1. If I connect the wan interface to my TP-Link modem which is in bridge mode, it will not obtain am IP address from Sky's (ISP) DCHP (note again, this works fine with pfsense and opnsense)

2. If I put the dsl line into my Sky router and let it obtain an IP address, and then instantly move that line into my TP-Link modem attached to the WAN interface of Sophos, it uses the WAN IP and works perfectly for 24 hours, until Sky (ISP) sends a DHCP renewal request / the lease expires, which then fails and the WAN connection drops.

3. If I repeat step 2, I can obtain a new IP and Sophos will work again for another 24 hours.

From what I've read on this so far, it seems to be related to "DHCP Option 61" being required on the WAN interface to obtain the IP.

I've seen older posts suggesting to edit files in the var/chroot-xxx directory, which no longer exists and through all my attempts trying other hardware, I cannot get this to work with Sky ISP / VDSL2, but being one of the countries largest ISP's, I'm adamant on getting it to work.

Has anyone else faced with issue with SKY ISP UK?

Thanks in advance!



Added TAGs
[edited by: Raphael Alganes at 5:23 AM (GMT -8) on 13 Feb 2024]
  • Hi,

    I suspect the issue is Sky appears to use VLAN 10 for its device access? What type of connection are you usingPPPoE or IPoE? Finding the settings is a bit of a challenge.

    Iam

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the response. Sky use VLAN 101 which I've set at the modem which is in bridge and connects to the ISP (this config works fine with pfsense and opnsense, both obtain a WAN IP via DHCP. Sophos should then get the WAN IP via DHCP, which is the part that fails.

    I may be way off as unsure on the exact cause, but potentially related to the client indentifier, which loops back to the "DHCP Option 61" settings I've seen mentioned in older posts, so it doesn't look like I'm alone, I just can't find anyhting on how people got this working on more current versions.

    Source:
    datatracker.ietf.org/.../rfc2132

    Is there anyone out there who are using Sky ISP with Sophos without any issues I'm wondering?

    I've also seen the following link, but surely it's not only compatable with IDNet?
    https://support.sophos.com/support/s/article/KB-000038812?language=en_US

    As I can get Sophos working for 24 hours with my "workaround", I'm sure it's just something to do with the DHCP on the WAN interface causing the issue, but stuck on where to look next.

  • Thanks for your response. SKy uses VLAN 101 which is set on the modem and connects ok on the modem. Sophos should just pick up an IP from Sky which is issued by DHCP from Sky. This is what seems to fail with Sophos as if I use my Sky router to obtain the IP and then attach the DSL to my TP-Link modem attached to the Sophos WAN interface, it will hold the IP for 24 hours.

    I may be well off on this, but from what I've read on other posts, it could be related to the Client-Identifier:

    9.14. Client-identifier
    
       This option is used by DHCP clients to specify their unique
       identifier.  DHCP servers use this value to index their database of
       address bindings.  This value is expected to be unique for all
       clients in an administrative domain.
    
       Identifiers SHOULD be treated as opaque objects by DHCP servers.
    
       The client identifier MAY consist of type-value pairs similar to the
       'htype'/'chaddr' fields defined in [3]. For instance, it MAY consist
       of a hardware type and hardware address. In this case the type field
       SHOULD be one of the ARP hardware types defined in STD2 [22].  A
       hardware type of 0 (zero) should be used when the value field
       contains an identifier other than a hardware address (e.g. a fully
       qualified domain name).
    
       For correct identification of clients, each client's client-
       identifier MUST be unique among the client-identifiers used on the
       subnet to which the client is attached.  Vendors and system
       administrators are responsible for choosing client-identifiers that
       meet this requirement for uniqueness.
    
       The code for this option is 61, and its minimum length is 2.
    
       Code   Len   Type  Client-Identifier
       +-----+-----+-----+-----+-----+---
       |  61 |  n  |  t1 |  i1 |  i2 | ...
       +-----+-----+-----+-----+-----+---


    What I'm trying to understand is why Sohops won't obtain a WAN IP with DCHP but pfsense and opnsense do without any extra config, but as Sophos is superior in every aspect, I really would like to get it working with my ISP.

    I'm curious to know if there is anyone out there who does have this working with Sky UK home broadband. I see it's supported by "IDNET", which use the same Openreach lines that Sky use, so in my mind, this should work with Sky.

    Thanks!

  • After spending a fair few hours testing various things, I've finally found a soultion which works, although not the design I started out with, it does the job perfectly.

    I don't believe this is a limitation with Sophos as I first thought, but rather with my ISP (SKY UK). I've had to use the original Sky router (SR203) with a DMZ so my Sophos VM. After pen testing, there are no network leaks and everything is working great! 

    If anyone is looking to use Sophos with Sky ISP, reply to this and I'll provide a guide, but in a nutshell, set your router to a different subnet / ip range to Sophos and DMZ the WAN to the Sophos WAN NIC and disable all of the Sky routers security features, DHCP etc etc (I did leave wifi on to use an an access point which works perfectly too, as DHCP is disabled on the Sky router).

    Hope this helps anyone who's been facing the same issue!