Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 738 views
  • Users 0 members are here
Options
Suggested

Bridge needs firewall rules, or not?

Wayne Folta

I had our Sophos XG87 configured by our reseller when we bought it, since I knew nothing about how to do it properly. I've learned a lot and have changed quite a few things, but want to make a foundational change that will require destroying several things and rebuilding differently, and I want to make sure I'm not crazy before I start. (I'll, of course, backup my configuration and fall back to it if necessary, but unfortunately I'll have a small daytime window to make the change and so I just want to sanity-check my approach first.

Currently, Port1 and Port4 are bridged, know as LAN_Bridge. Port1 and Port4 are also in the LAN Zone. Port1 has a Sophos AP with four SSIDs: three of them go into their own VLANS (LAN_Bridge.10, etc), and the fourth is bridged into the AP's LAN, which is of course the LAN_Bridge bridge. This works out well because on Port4 is a print/backup server that uses Bonjour (mDNS) to advertise its services, and since it's on LAN_Bridge, all of the wireless devices bridged to the LAN_Bridge bridge, communicate perfectly. I don't have or need the "Enable routing on this bridged pair" checked for LAN_Bridge. I do have a LAN Zone - LAN Zone firewall rule, which I think is necessary overall, but broadcasts aren't routed -- is that correct?

So, the important factor of the current setup is that mDNS broadcasts from Port4 are seen on Port1's fourth, bridged-in SSID and everything works like one happy subnet.

But I'm thinking that maybe I should have the AP itself segregated from all of the traffic it carries, so maybe the fourth SSID should also go into a VLAN as well.

I'm thinking this will require destroying the current LAN_Bridge the current VLANs and doing them over. After destroying them, I'd set up the VLANs directly on Port1 (Port1.10, Port1.20, Port1.30, etc, and the new Port1.100). Then I'd bridge Port4 and Port1.100 into the NEW LAN_Bridge, with both of those ports being in the LAN Zone, meaning no firewall changes. I would also be able to leave the existing DHCP server for LAN_Bridge untouched and it would serve the NEW LAN_Bridge -- meaning the fourth SSID on Port1 and also Port4.

And everything would work perfectly, right? Broadcasts on Port4 would be seen on Port1.100 and all the wireless folks would still have a printer via mDNS. Right?

Or does a bridge with a Port and a VLAN in it not quite work the same way as a bridge with two Ports in it? (But still be called a "bridge", and maybe require "Enable routing on this bridge pair" or something else tricky?) I could try a diagram if the wording is too dense.



Edited TAGs
[edited by: Erick Jan at 4:55 AM (GMT -7) on 4 Jun 2024]
  • +1

    A Bridge needs a firewall rule. Generally speaking, if something crosses the subsystem, you need to allow it. 

    But SFOS does not support Bonjour (airprint) across VLANs. A VLAN is a broadcast domain, and SFOS does not forward Multicast packets like mDNS to other VLANs. 

    You could look into tools like this to solve this: https://avahi.org/ 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    it would be so cool if SFOS would support mDNS/Bonjour with helpers like in Sonicwall. In one location we bought a Sonicwall cluster just do have that simple feature in a secure manner.

    Homecontrol, Multimedia (also in professional environments), printing etc. - more and more stuff is managed using those protocols, especially when you have "smart"phone apps that do not allow to address devices by IP, only by broadcast detection.

  • 0 in reply to LHerzog

    Agreed, this would make my life simpler. Part of the trickiness of my network reorg is to bridge a Port and a VLAN together so that print/backup server (on the port) can mDNS with the many cliemts (on the VLAN, which corresponds to an SSID on which the machines that can print or backup all reside).

    As far as I can tell, two approaches are possible: 1) a reflector like Avahi (or whatever it's called), 2) having the DNS server listen to mDNS and create/update DNS records. The first option is easier, in that the clients do all of the work, though it's more useful for a small network that consists of spokes and the router is the hub and just reflects mDNS traffic across one or more of its ports. It's simpler for the router, in that it's stateless (for the router).

    The second approach would work on a larger network and is probably the more correct way to do it. But I'm a small network, so either solution would work for me. As you say, in the modern era, lots of utility devices (printers, scanners, backup, etc) are mDNS-based, and mDNS seems more philosophically aligned with IPv6 than static DNS. (Unless you have a much more-advanced DNS environment than I do.)

Unfiltered HTML