Sophos XG(S) Firewall, WiFi connected devices not able to see LAN printers

CalebP 1 month ago

Hello, I work at a school and we use an XGS 2100 to manage our internet. We have our networks divided for staff, students, etc.

We recently changed our connections from LAN to VLAN, so we can run distinct profiles on each SSID. Since then our VLAN WiFi connected devices (laptops, chromebooks etc.) haven't been able to see the LAN connected printers or print anything from anything on the VLAN. The only exceptions are devices that are directly connected.

We also moved the connections over the Central since switching to VLAN. Same goes with our AP's.

VLAN can't ping LAN, and LAN can't ping VLAN.

Any help would be greatly appreciated.

Here's our layout

Edited TAGs
[edited by: Erick Jan at 12:48 AM (GMT -8) on 30 Jan 2025]

Top Replies

Wayne Folta 1 month ago +1 suggested

Your printers might advertise themselves via mDNS, which uses multicasts. Multicasts are not transmitted across networks, which includes between subnets or VLANs. I WISH that Sophos would support multicast…

0 dirkkotte 1 month ago

1. AP55? How do you manage these devices?

2. XGS is the default gateway for all VLAN's? Are the devices able to Ping their gateway?
Create a "Drop & log" rule at the end of your Firewall-ruleset and check the logviewer for accepted or dropped packets

3. use packetcapture with the filter "host 1.2.3.4 and host 2.3.4.5" (IPs of source and destination device when trying to ping) ... feel free to post the results.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
- 0 CalebP 1 month ago in reply to dirkkotte
  
  Apologies but I am fairly new to this so not everything will make sense to me.
  
  1. We manage them through Central.
  
  2. Yes and yes.
  - I tried creating the drop and log rule like you suggested, but It didn't give me any results. Maybe I'm missing something or doing something wrong.
  
  3. It just tells me "no records found". Again, I might be missing something or doing something wrong.
0 Wayne Folta 1 month ago

Your printers might advertise themselves via mDNS, which uses multicasts. Multicasts are not transmitted across networks, which includes between subnets or VLANs. I WISH that Sophos would support multicast forwarding for such cases, but it doesn't.

The lack of pings could indicate a total lack of routing/permission between them, but if your printers are like my printers, mDNS could be a problem with your new setup, even if you solve the ping issue.

We can assume that you added appropriate firewall rules to allow traffic between the various VLANs?
0 rfcat_vk 1 month ago

You might need to experiment with IP addressing of your printer drivers to overcome the issue.

Ian

XGS118 - v21.0.1 MR1

XG115 converted to software licence v21.0.1 MR-1

If a post solves your question please use the 'Verify Answer' button.
- 0 PhilippRusch 1 month ago in reply to rfcat_vk
  
  Do the printers and the WiFi connected devices have the Sophos firewall at their default gateway?
  
  If not, you need to change the configuration of the LAN-printers to point at the firewall as their gateway.
  
  Then you need "Allow"-rules for the traffic from the WiFi devices to the LAN-printers.
  
  Once this is done, you should be able to ping the printers.
  
  Mit freundlichem Gruß, best regards from Germany,
  
  Philipp Rusch
  
  New Vision GmbH, Germany
  Sophos Silver-Partner
  
  If a post solves your question please use the 'Verify Answer' button.
  - 0 CalebP 1 month ago in reply to PhilippRusch
    
    Yes, our printers are all pointing towards the Sophos firewall.
    
    As well as all our WiFi connected devices.
    
    We have made an Allow rule many times with many variations but still nothing is coming through.
    
    Here's what our allow rule looks like.
    
    We have another rule but the sources and destinations are switched around.
    
    Any suggestions? Thanks for your help.
  - 0 PhilippRusch 1 month ago in reply to CalebP
    
    I suspect a VLAN transport problem here.
    
    But let's start troubleshooting: can you ping each VLAN from the Sophos firewall? At the firewall you go to "Diagnose" then "Ping"
    
    Can you show us the network/interface definitions at your firewall? (Screenshots)
    
    Mit freundlichem Gruß, best regards from Germany,
    
    Philipp Rusch
    
    New Vision GmbH, Germany
    Sophos Silver-Partner
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 PhilippRusch 1 month ago in reply to PhilippRusch
    
    AFAIK the Netgear GS-108 switch is an unmanaged switch which is only able to transport the default VLAN=1 (aka "default VLAN" or "AdminVLAN").
    
    The TP-Link SG116 is unmanaged as well, but it should be able to pass VLAN-Tags through to the other ports, when it receives those tagged packets.
    
    So I really wonder how you managed to "configure VLANs".
    
    Can you give us some more details on this, please?
    
    Mit freundlichem Gruß, best regards from Germany,
    
    Philipp Rusch
    
    New Vision GmbH, Germany
    Sophos Silver-Partner
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 CalebP 1 month ago in reply to PhilippRusch
    
    I can ping the VLANs from the firewall, If I pick the right interface. Which would be Port4.59 for VLAN59 and so on.
    
    I believe this is what you asked for.
  - 0 rfcat_vk 1 month ago in reply to CalebP
    
    Hi,
    
    as Philip advises there is nothing on your network to seperate the traffic from the various devices eg everything is on the same network none of the switches can differentiate VLAN traffic. You need some smart switches.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 CalebP 1 month ago in reply to rfcat_vk
    
    So switches that aren't managed at all are is what is preventing the traffic between VLANs and printers?
    
    That seems unlikely to me. Why and how would the switches be the ones that are preventing traffic from VLANs to Printers?
    
    All our switches in the building are unmanaged and empty, so there's nothing going on when passing through the switch.
  - +1 Prism 1 month ago in reply to CalebP
    
    CalebP said:
    So switches that aren't managed at all are is what is preventing the traffic between VLANs and printers
    
    Some unmanaged switches remove the VLAN tagging when passing traffic, at the same time breaking inter-VLAN connections. (This depends on each switch vendor implementation.)
    
    This could be the reason why it's not working correctly.
    
    If a post solves your question use the 'Verify Answer' button.
    
    Ryzen 5600U + I226-V (KVM) v21 MR1 @ Home
    
    Sophos ZTNA (KVM) @ Home
  - 0 CalebP 1 month ago in reply to PhilippRusch
    
    What do you mean by default VLAN? Is there somewhere in the firewall that allows me to change the default VLAN so it points the traffic the way I want to?
  - 0 emmosophos 1 month ago in reply to CalebP
    
    If your switches are unmanaged, they most likely don't tag traffic, so it is not actually TAGged.
    
    The Default VLAN is always VLAN 1 in all switches, you can't change the default VLAN in the Sophos Firewall.
    
    Regards,
    
    Emmanuel (EmmoSophos)
    
    Technical Team Lead, Global Community Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  - 0 CalebP 1 month ago in reply to emmosophos
    
    What if we back up a little bit. I might be presuming too much with how we have things set up so far. (We're hardly 2 months into our XGS experience)
    
    - We set up our WIFI SSIDs on Central as all our APs are managed through there. (Half are old AP55's that the XGS can't deal with directly so we moved all our 320x's there as well.)
    
    - We want to have distinct WIFI SSIDs for staff, students, devices, in order to manage each SSID with its own policy and so we can see which group is using up our bandwidth. (We're coming fresh off a UTM and are still thinking that way as far as the fresh XGS setup is concerned.)
    
    - The only way we could connect a unique policy on the XGS to an SSID on Central was to point the WIFI SSID in Central to a VLAN connection to the XGS. Then each VLAN could have its own filter profile.
    
    We're not committed to a VLAN network setup.
    
    All the devices on our network are MAC address whitelisted to the WIFI SSID. No users are set up in the XGS.
    
    What we want is:
    
    - to create different filter profiles per WIFI SSID (we need to be able to turn on/off access to things like YouTube per SSID.)
    
    - to be able to see which WIFI SSID is 'using up' our bandwidth.
    
    Is there a different way to approach setting this up than the VLAN approach we're taking?