Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 1174 views
  • Users 0 members are here
Options
Suggested

Unable to use the static IP in Sophos bridge mode

Anh Dung Nguyen

Hello everyone,

I’ve included my home network diagram and Sophos configuration below. After setting up Sophos Home (on ESXi) in bridge mode with VLANs, I assigned a static IP address of 192.168.11.10 to the bridge port. However, this IP address cannot ping the gateway (192.168.11.1), although I can access the web administrator interface from a VM using this IP.

I proceeded to set up the VLAN interfaces. If I use static IPs, my router (RouterOS CHR) cannot detect them or ping the gateways. I can only use DHCP. However, clients (servers, PCs, phones, etc.) can access the internet using either static IP or DHCP, and they can ping the gateway without issues (except for the management VM, cannot ping the gateway).

What could be wrong or missing in my configuration?

I’m a newbie with Sophos and not a professional in networking, so I would greatly appreciate any help you can provide. Thank you very much!

Network diagram:

Bridge interface:

VLAN interfaces:

Rules config:

RouterOS DHCP and ARP table:



Added V20.0 MR2
[edited by: Erick Jan at 3:50 PM (GMT -7) on 2 Sep 2024]
  • +1

    Hello,

    Thank you for contacting Sophos Community!

    The Firewall bridge port IP (192.168.11.5) and Mikrotik router IP as 192.168.11.1. As these belongs to same range, it should be reachable without any additional configuration.

    I suggest collecting the tcpdump on gateway IP while initiating the ping from the firewall. Login to the CLI of the firewall and go to option number 5 and 3. Use the below commands simultaneously.

    #tcpdump -nei any host 192.168.11.1
    #ping 192.168.11.1

    We may receive number of traffic but that can be filtered. Kindly make sure that you saves the putty session output for the tcpdump command to validate each packet going out and coming in.

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Mayur Makvana

    Hello Mayur,

    Thank you for your reply. The output results are shown below. Please help me check them (the MAC addresses have been edited):

    SFVH_SO01_SFOS 20.0.2 MR-2-Build378# tcpdump -nei any host 192.168.11.1         
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
es                                                                              
22:14:20.169166 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:20.169187 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:20.169223 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:20.810432 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:20.810448 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:20.810463 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:21.181240 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:21.181260 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:21.181280 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:21.461183 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:21.461200 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:21.461214 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:22.205226 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:22.205238 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:22.205254 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:22.463840 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:22.463857 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:22.463871 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:23.577397 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:23.577406 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:23.577420 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:23.818623 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:23.818639 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:23.818653 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:24.469220 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:24.469234 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:24.469247 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:24.605246 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:24.605257 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:24.605276 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:25.472120 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
22:14:25.472143 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
 62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
22:14:25.472156 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
22:14:25.629238 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
22:14:25.629249 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
22:14:25.629267 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
 44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
??^C                                                                            
36 packets captured                                                             
36 packets received by filter                                                   
0 packets dropped by kernel                                                     
SFVH_SO01_SFOS 20.0.2 MR-2-Build378# ping 192.168.11.1                          
PING 192.168.11.1 (192.168.11.1): 56 data bytes                                 
??^C                                                                            
--- 192.168.11.1 ping statistics ---                                            
8 packets transmitted, 0 packets received, 100% packet loss                     
SFVH_SO01_SFOS 20.0.2 MR-2-Build378#

  • +1 in reply to Mayur Makvana

    Updated:

    Dear all,

    I have found the root cause: the IP gateway addresses were incorrectly configured on RouterOS and Sophos. When I configured the bridge IP, I entered the gateway as 192.168.11.1 on Sophos. However, this IP was incorrect. I tried using 192.168.11.2 instead, and it worked.

    Thanks Sophos Community, Mayur for your help. I appreciate it.

  • 0 in reply to Anh Dung Nguyen

    Hello,

    Thank you for sharing the insight! 

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML