Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Unable to use the static IP in Sophos bridge mode

Hello everyone,

I’ve included my home network diagram and Sophos configuration below. After setting up Sophos Home (on ESXi) in bridge mode with VLANs, I assigned a static IP address of 192.168.11.10 to the bridge port. However, this IP address cannot ping the gateway (192.168.11.1), although I can access the web administrator interface from a VM using this IP.

I proceeded to set up the VLAN interfaces. If I use static IPs, my router (RouterOS CHR) cannot detect them or ping the gateways. I can only use DHCP. However, clients (servers, PCs, phones, etc.) can access the internet using either static IP or DHCP, and they can ping the gateway without issues (except for the management VM, cannot ping the gateway).

What could be wrong or missing in my configuration?

I’m a newbie with Sophos and not a professional in networking, so I would greatly appreciate any help you can provide. Thank you very much!

Network diagram:

Bridge interface:

VLAN interfaces:

Rules config:

RouterOS DHCP and ARP table:



Added V20.0 MR2
[edited by: Erick Jan at 3:50 PM (GMT -7) on 2 Sep 2024]
  • Hello,

    Thank you for contacting Sophos Community!

    The Firewall bridge port IP (192.168.11.5) and Mikrotik router IP as 192.168.11.1. As these belongs to same range, it should be reachable without any additional configuration.

    I suggest collecting the tcpdump on gateway IP while initiating the ping from the firewall. Login to the CLI of the firewall and go to option number 5 and 3. Use the below commands simultaneously.

    #tcpdump -nei any host 192.168.11.1
    #ping 192.168.11.1

    We may receive number of traffic but that can be filtered. Kindly make sure that you saves the putty session output for the tcpdump command to validate each packet going out and coming in.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Hello Mayur,

    Thank you for your reply. The output results are shown below. Please help me check them (the MAC addresses have been edited):

    SFVH_SO01_SFOS 20.0.2 MR-2-Build378# tcpdump -nei any host 192.168.11.1         
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
    es                                                                              
    22:14:20.169166 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:20.169187 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:20.169223 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:20.810432 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:20.810448 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:20.810463 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:21.181240 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:21.181260 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:21.181280 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:21.461183 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:21.461200 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:21.461214 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:22.205226 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:22.205238 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:22.205254 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:22.463840 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:22.463857 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:22.463871 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:23.577397 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:23.577406 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:23.577420 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:23.818623 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:23.818639 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:23.818653 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:24.469220 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:24.469234 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:24.469247 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:24.605246 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:24.605257 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:24.605276 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:25.472120 Port1, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 
    62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                  
    22:14:25.472143 Port2, OUT: Out aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length
     62: Request who-has 192.168.11.1 tell 192.168.11.11, length 46                 
    22:14:25.472156 br0, IN:   B aa:bb:cc:xx:yy:zz ethertype ARP (0x0806), length 62
    : Request who-has 192.168.11.1 tell 192.168.11.11, length 46                    
    22:14:25.629238 br0, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length 4
    4: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                    
    22:14:25.629249 Port2, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    22:14:25.629267 Port1, OUT: Out xx:yy:zz:aa:bb:cc ethertype ARP (0x0806), length
     44: Request who-has 192.168.11.1 tell 192.168.11.5, length 28                  
    ??^C                                                                            
    36 packets captured                                                             
    36 packets received by filter                                                   
    0 packets dropped by kernel                                                     
    SFVH_SO01_SFOS 20.0.2 MR-2-Build378# ping 192.168.11.1                          
    PING 192.168.11.1 (192.168.11.1): 56 data bytes                                 
    ??^C                                                                            
    --- 192.168.11.1 ping statistics ---                                            
    8 packets transmitted, 0 packets received, 100% packet loss                     
    SFVH_SO01_SFOS 20.0.2 MR-2-Build378# 

  • Updated:

    Dear all,

    I have found the root cause: the IP gateway addresses were incorrectly configured on RouterOS and Sophos. When I configured the bridge IP, I entered the gateway as 192.168.11.1 on Sophos. However, this IP was incorrect. I tried using 192.168.11.2 instead, and it worked.

    Thanks Sophos Community, Mayur for your help. I appreciate it.

  • Hello,

    Thank you for sharing the insight! 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.