How to configure a bridge?

Hello!!

In my home network, I have a mini PC with two ports running Proxmox and a virtualized Sophos Firewall Home Edition.

I have purchased a mini PC with four ports to replace the one I currently have. While I wait for it to arrive, I decided to do some testing with a VirtualBox virtual machine where I simulated a WAN port and a LAN port. The WAN port receives the IP 192.168.3.37 via DHCP, and the LAN port has the IP 172.16.16.4.

Next, I added two more virtual NICs so that in Network > Interfaces, the two new ports appear.

My intention is to use one port for the WAN and the other three for the LAN. Following the official documentation:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkBridgeInterfaces/index.html

I tried to create a bridge to have the three ports with the same IP 172.16.16.254, and here's a screenshot of the configuration:

When I save the configuration, I lose access to the firewall. To regain access, I have to perform a factory reset.

What am I doing wrong?

Kind regards!!

Edited TAGs
[edited by: Raphael Alganes at 11:53 PM (GMT -7) on 2 Sep 2024]

Top Replies

Raphael Alganes 15 days ago +1

Hello Albert, From what interface do you access the Firewall when you perform the bridge configuration? If you're accessing from outside the 172.16.16.x/24 network, then you're expected to lose network…

Parents

0 Raphael Alganes 15 days ago

Hello Albert,

From what interface do you access the Firewall when you perform the bridge configuration?

If you're accessing from outside the 172.16.16.x/24 network, then you're expected to lose network connectivity on your firewall since you bridge them altogether into that network scheme.

Further, I believe that from your setup, as stated in your intention:

albert cutrona said:
My intention is to use one port for the WAN and the other three for the LAN

- is possible to achieve this without configuring a LAN WAN Bridge. You may only need 1 WAN Port and LAN Interface/s (You may still, bridge the 3 LAN interface if needed on your network requirement) as I see it’s that the setup goes like:

ISP router/Home router->Sophos Firewall Home->Network

- and thus may not need to bridge WAN with LAN unless there's an existing setup that you do not want to change/disrupt network settings anymore but would need to put Sophos Firewall in-between.

However, If my assumptions are incorrect. Could you please share a diagram of the setup you are trying to achieve.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Raphael Alganes 15 days ago

Hello Albert,

From what interface do you access the Firewall when you perform the bridge configuration?

If you're accessing from outside the 172.16.16.x/24 network, then you're expected to lose network connectivity on your firewall since you bridge them altogether into that network scheme.

Further, I believe that from your setup, as stated in your intention:

albert cutrona said:
My intention is to use one port for the WAN and the other three for the LAN

- is possible to achieve this without configuring a LAN WAN Bridge. You may only need 1 WAN Port and LAN Interface/s (You may still, bridge the 3 LAN interface if needed on your network requirement) as I see it’s that the setup goes like:

ISP router/Home router->Sophos Firewall Home->Network

- and thus may not need to bridge WAN with LAN unless there's an existing setup that you do not want to change/disrupt network settings anymore but would need to put Sophos Firewall in-between.

However, If my assumptions are incorrect. Could you please share a diagram of the setup you are trying to achieve.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 albert cutrona 15 days ago in reply to Raphael Alganes

Hello Raphael, thank you very much for your help!!

My virtual lab (VirtualBox) consists of a Sophos with four virtual NIC and a PC on the LAN, all running on my personal PC. After making the configuration, I try to access the firewall management with IP 172.16.16.254 from the PC that is on the same network 172.16.16.0/24.

Raphael Alganes said:
- is possible to achieve this without configuring a LAN WAN Bridge. You may only need 1 WAN Port and LAN Interface/s (You may still, bridge the 3 LAN interface if needed on your network requirement) as I see it’s that the setup goes like:

In this case, if I want to have three ports on the same LAN I should configure each one with its IP, for example:

- Port 1: 172.16.16.4/24

- Port 2: 172.16.16.5/24

- Port 3: 172.16.16.6/24

If this is so, I have to say that I have already tested it and, obviously, it works. But, then I can access the firewall management from three different IPs, I don't know if that is correct.

This is the diagram of what I want to achieve on production, the same as what I have now but with two extra ports to serve the LAN:

This is an exact photo of the equipment I bought:

On this mini pc I will install Proxmox, and it will only be used to run virtualized Sophos. I want to make it clear that I do these tests in a virtual environment, so I can make sure that when I go into production everything will go well.

Kind regards!!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 albert cutrona 12 days ago in reply to Raphael Alganes

Hello Raphael Alganes

Hello,
I keep thinking about how to solve this issue. When configuring the ports, it is essential to assign them an IP address. Is it possible to limit management access to only one LAN port?

Kind regards!!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Raphael Alganes 9 days ago in reply to albert cutrona

Hello Albert,

You can instead limit those who can access the device using Local Service ACL: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html

Best Practices to manage SF: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessBestPractices/index.html

Hope this helps.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 albert cutrona 9 days ago in reply to Raphael Alganes

Hello Raphael Alganes !!

Raphael Alganes said:
You can instead limit those who can access the device using Local Service ACL

As you suggest, this way I can limit access to the device from certain interfaces:

That's an acceptable solution to my original question, config three ports in the same subnet.

I've to say that after playing with the VM, I've realized that bridge interfaces only works with the ones that don't have the gateway of the DHCP.

Thank you very much for your help and kind regards!!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Raphael Alganes 7 days ago in reply to albert cutrona

Hello Albert,

Thank you for taking the time to update us. We're glad we can help with your concern.

Have a nice day and thank you for choosing Sophos.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel