How to install, setup, and configure XG Home on Hyper-V

Welcome,

you can't change the XG address until you login.

I am able to login because I then get the menu system to aid in configuration. From there I'm not really sure where to get started. I thought the GUI might be more convenient but I can use the command line if need be. Is following the command line guide sufficient to get me up and running in a basic configuration?

I have installed Firmware version SFOS 16.05.3 MR-3 over the top of the previous version and then changed the settings for IP/DNS.

IP: 192.168.10.6

Subnet Mask: 255.255.255.0

DNS: 192.168.10.1 (broadband router)

I'm still getting the error "Internet connectivity OK but unable to contact licensing system. This may be due to a network issue. Please check your network set up and connections and try again." I used the device console and verified I can ping other devices on the network. I tried to ping Comcast's primary DNS 75.75.75.75 and it is unreachable from the device console. I could not ping google.com either. The VM Host is able to ping 75.75.75.75 and google.com. The broadband router is set to use Comcast's primary and secondary DNS servers and all devices on my network have no connectivity issues.

I created another virtual machine using similar settings and installed Ubuntu Desktop. This virtual machine can ping all network devices, google.com and 75.75.75.75.

The firewall is unable to ping outside of my network but other devices have no problem at all.

-Rob

More than likely you haven't added a gateway to your XG.

Hi Rob,

One thing you haven't mentioned is how your broadband router is connected to your workstation running Hyper-V. The virtual switch you created to act as your WAN connection for the Sophos XG VM needs to be able to obtain an external IP address. I wonder if you're NAT is the problem. Here is what I had to do with my ISP router to get it working.

1. I connected directly from my router to my server NIC port
2. I placed this router connection into the DMZ (I didn't want there to be any NAT issues so this meant this connection would receive its own external IP)
3. I confirmed via cmd line that this NIC connection had a new IP assigned by my ISP. This meant that the NIC connected directly to the outside world with no NAT problems.
4. I created 2 virtual switches (both external) in Hyper-V. The first I named LAN and the second named WAN and selected the correct NIC connection for the WAN virtual switch that connected to my broadband router
5. I created a virtual machine and made sure that the first network I added was the LAN. By default, in these scenarios, Sophos XG uses the first connection as LAN and the second as WAN.
6. I added a second network interface to my VM after the wizard had created it and linked it to the WAN virtual switch
7. I started the VM and installed Sophos XG and rebooted at the end
8. I added a new IP address to my server NIC and gave it a 172.16.16.18 IP.
9. I used my server browser to connect to the https://172.16.16.16:4444 address and from there was able to finish the setup including license sync

The key for me was to ensure that I was able to get direct outside IP address from my router.

Do you have to log in to your internet connection or is it always on? Is it a PPPoE connection?

Option 1:

If your internet connection IS PPPoE and you have to have your Netgear router to perform the login, enable DMZ and place the IP that Netgear has assigned to your Hyper-V server into the DMZ (this is done on the Netgear router). Then make sure your WAN Port in Sophos XG is set to PPPoE (this is done in Sophos). You'll then have the option to enter your login credentials for the WAN port in the firewall (also done in Sophos).

Option 2:

The easiest option is if you are NOT PPPoE and you can simply connect directly to your Surfboard modem and obtain an external IP address. In this case, you would have selected DHCP for your IP assignment in your WAN port on Sophos.

Try the option that best describes your situation (PPPoE yes or no) and see how that goes.

In my own scenario, I have a PPPoE connection so I followed option 1 and it works.

Rob Moorhead said:

 

 

Is there some way to determine from the device console which NIC the firewall thinks is eth0? I'm not sure I could say which is which without some inspection. Also, none of my network devices are using 172.x.x.x. It is much easier to IP the firewall with 192.168.10.6. Is it possible to get setup in this config or is 172.x.x.x required until configuration is complete?

  

Unfortunately, I never found an easy way to do this. It was trial and error. I took a laptop, set static IP to 172.16.16.18 and subnet 255.255.255.0. I then connected to each port and attempted to connect to the browser interface at 172.16.16.1:4444. When I was successful, I knew this was the LAN port.

When setting up the VM, I found it easier to assign the LAN virtual switch first, then add a second network connection AFTER the VM had been created. In this way, by default Sophos uses the first port as the LAN port.

Nash,

I do not need to log into my internet connection and it is always on.

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC.

Once the firewall is configured and running, I would re-IP and connect everything to suit my original plan?

-Rob

Rob Moorhead said:

I do not need to log into my internet connection and it is always on.

Perfect, then Option 2 is what I'd recommend you try.

Rob Moorhead said:

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC.

I used a laptop to see which one was the LAN NIC. Once I could connect to the LAN, I knew the other was the WAN.

Rob Moorhead said:

Once the firewall is configured and running, I would re-IP and connect everything to suit my original plan?

Yes. I found it easier to set all of my hosts and services ahead of my cutover so I had less work to do. I also wrote down all of my firewall rules and exceptions although Netflix did give me a hard time but finally got it working.

My only remaining problem is with VoIP.

Nash,

NashBrydges said:

Rob Moorhead

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC. 

 

I used a laptop to see which one was the LAN NIC. Once I could connect to the LAN, I knew the other was the WAN.

I hate to ask this question but I'm really unclear how you tested. Where did you physically connect your laptop to test the ports?

Also, the documentation made it sound like if you didn't meet the minimum configuration that the OS would not install. If you only had one NIC on your VM at the time of installation, it should have failed if the documentation is correct.

It seems odd or backwards that you configure while connected to the LAN NIC but at this point, I'll try anything.

Thank you so much for taking the time for all of your responses! I'll beat this thing yet...

-Rob

The minimum requirements are to have 2 NIC ports so as long as you have that, you should be fine. 

1. Create a virtual switch connected to one of the physical NIC ports and call that one LAN
2. Create a virtual switch connected to the other physical NIC port and call that one WAN
3. Create your VM from the Hyper-V GUI and when asked to select the network, select the LAN virtual switch
4. Complete the VM config
5. Once the VM config is complete, go back to the VM settings and choose Add Hardware and proceed to add a network adapter, selecting the WAN virtual switch
6. Proceed to start the VM and install Sophos

Once the VM boots up, I setup my laptop with a static IP address of 172.16.16.18 and subnet of 255.255.255.0 (gateway remains blank). I take my laptop and connect it to the physical server NIC port that I used when I created my LAN switch. Since Windows doesn't make it easy to identify which ACTUAL port was used (because it sometimes names them in some weird random order) I plugged into the first port and attempted to access the Sophos web interface. It took a few minutes to come online so be patient. If that doesn't work, then likely you'll need to use the other physical NIC port. Try it out to confirm. Once you confirm which one is the LAN (meaning you can access the Sophos web interface) then plug the other physical NIC port directly into your Surfboard. 

The key is to figure out which is your LAN, once you have that, by default, the other is your WAN.

Proceed with activation and license sync.

The minimum requirements are to have 2 NIC ports so as long as you have that, you should be fine. 

1. Create a virtual switch connected to one of the physical NIC ports and call that one LAN
2. Create a virtual switch connected to the other physical NIC port and call that one WAN
3. Create your VM from the Hyper-V GUI and when asked to select the network, select the LAN virtual switch
4. Complete the VM config
5. Once the VM config is complete, go back to the VM settings and choose Add Hardware and proceed to add a network adapter, selecting the WAN virtual switch
6. Proceed to start the VM and install Sophos

Once the VM boots up, I setup my laptop with a static IP address of 172.16.16.18 and subnet of 255.255.255.0 (gateway remains blank). I take my laptop and connect it to the physical server NIC port that I used when I created my LAN switch. Since Windows doesn't make it easy to identify which ACTUAL port was used (because it sometimes names them in some weird random order) I plugged into the first port and attempted to access the Sophos web interface. It took a few minutes to come online so be patient. If that doesn't work, then likely you'll need to use the other physical NIC port. Try it out to confirm. Once you confirm which one is the LAN (meaning you can access the Sophos web interface) then plug the other physical NIC port directly into your Surfboard. 

The key is to figure out which is your LAN, once you have that, by default, the other is your WAN.

Proceed with activation and license sync.

Nash,

Ok, I follow you now. I will take another shot at this tonight and report back.

-Rob

Good luck. Let me know if you still have problems. I'm no expert but I got mine to work in Hyper-V so I know it works.