Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 34233 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Traffic Issues

WayneBoyles

Hello,

I have XG Home setup on a server connected to a Cisco switch that has several VLANs configured.  Everything works great, I've created the VLANs within Sophos as sub-interfaces on Port1 as follows:

Port 1: 172.30.1.1
Port 1.10: 172.30.10.1
Port 1.20: 172.30.20.1
Port 1.30: 172.30.30.1

And so on.

My switch is 172.30.1.10 and from the CLI of the firewall I can SSH to the switch but I can't from my workstation on VLAN 20 (Port 1.20).  I figured I would start with the basics and setup rules to allow me to ping to get a feel for how it all worked.... this is where I'm having an issue.  The following rule works without any issues (as expected):

Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from any network

When I try and restrict the source to VLAN 20 no traffic goes through at all - this is the rule:

Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from "#Port1.20" network


To me that reads anything on the network should be pingable from VLAN 20 but it's not.  As soon as I re-enable the first rule though pings works fine.  I suspect I'm missing something basic here.  Any help would be appreciated.



This thread was automatically locked due to age.
  • 0
    I know this going to sound silly, but I would suggest you haven't got an IP address from 1.20.

    Ian

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • 0 in reply to IanMorehouse
    Hi Ian,

    I honestly wish it had been something like that but unfortunately not. My test PC is 172.30.20.109 which is what I'm using and that's pulling from DHCP which is configured on the Sophos firewall for that VLAN.
  • 0
    Might you also need a policy for the packets to travel back from your switch to your workstation (that is, packets coming from #Port1)? That might explain why universal LAN-to-LAN works, but not if you restrict the source to #Port1.20.
  • 0 in reply to BrianCarp
    Brian,

    Thanks for your reply. I have tried that and unfortunatley that still isn't working. I may be going about this the wrong way I'm not sure but I'm having lots of little problems with this release. Anyways, the two test rules I created (and turned off the global one that works) are:

    Rule Temp
    Source: LAN #Port1.20
    Destination: LAN Any Host
    What: Any Service (not restricting for the test)
    Action: Accept

    Rule Temp 2
    Source: LAN #Port1
    Destination: LAN #Port1:20
    What: Any Service
    Action: Accept

    This results in the same as before with no traffic flowing or even hitting the rules as far as I can tell. I wish Live Logs were implemented I do miss that from UTM 9!

    Maybe I'm overthinking things, as long as I'm secure from the outside-in then internal communication isn't really an issue if everything can talk to each other, I just wanted to try and setup it up 'correctly' and only allow certain parts to communicate.

    Thanks,

    Wayne.
  • 0 in reply to WayneBoyles
    I find specifying sources and destinations by port designations to be a bit confusing. If you want to do it "correctly", why not set the rules to restrict by network instead? In other words, create proper Host IP objects (in Objects > Hosts and Services) for 172.30.1.0 and 172.30.20.0, and then maybe one rule:

    Source: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24
    Destination: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24
    What: Any Service
    Action: Accept
  • 0 in reply to BrianCarp
    Brian - that worked perfectly. I didn't think about created IP Host objects! Thanks for the help, it's much appreciated.
Unfiltered HTML