Lan to Wifi separate zone not working

Hey

That is a rule for one direction.

Where is the return rule to allow the WifiRestricted traffic back to the Lan?

It may be included in another rule, but if you upgraded from V17 to V18 the return rule may have been lost.

I did notice that my initial V18 upgrade lost some rules.

That is not the problem, i have added a rule for the other direction, too.
I think it must be a bug...

Hi

Can you please post your other rule.

here is the other direction.

here is the other direction.

Hi

Just set up a test, and actually seeing what I expect is the same result as you.

Basic setup,

Created new 'LAN' Zone for Wifi

Created Wifi SSID as new zone, client isolation disabled.

Created firewall rules for Lan to Wifi Zone and seperate rule for Wifi Zone to Lan

DHCP for Wifi Zone done on Sophos

All services allowed

From the Wifi devices (ipad, Iphone, Laptop) I can ping each other, and I can ping anything on the LAN (PC, NAS, ECT)

From the Lan devices or the Sophos Firewall I cannot ping a device on the Wifi Zone

I also tried setting the Wifi setup back to the default WIFI zone, still no go.

I believe that the Wifi Zone is right, because I have a seperate WIFI Zone to WAN rule, and after changing the WIFI SSID to the default WIFI zone, then I lost internet access on the Wifi Devices.

So I will agree with you, an introduced bug in V18

Doesn't make any difference if it is a WIFI or seperate zone.

Ian

Hey Ian,

You are correct, I tested that as well.

And it is not an issue related to V17 migration, as I reset my XG125 to factory defaults after EAP3R1 and have set it up completely from scratch. No backup import.

Hi Ian, so you can reproduce the problem as well? Is there any workaround this?

Hi Mario,

not that I have found yet, I am still in the process of fixing a number of items I broke during the migration from VLANs.

Ian

Hi Mario,

I have found a temporary solution, it works but not very well. I setup an SD-WAN policy route which has some strange requirement to use an the XG external gateway for internal traffic and you cannot ignore the setup. Also the help information when you move a mouse over the objects is useless and needs to be brought up to the same standard as other policy/rules.

In the migrated sd-wan policies you are shown a firewall rule, but only of the external access, there are no sd-wan policoes created during migration for the internal access firewall rules.

SD-WAN only allows one session where as a firewall rule allows multiple sessions to the same device. Throughput while I can't test and provide actual values is just plain painfully slow.

I tried using the Static routing and that is just plain silly/not logical, you must have a gateway that is in the same IP range as your interface, they are the same thing. so that doesn't work.

In the end v18 GA should make all this SD-WAN routing redundant when the fixes are applied.

Ian

The setup to fix the bug, does leave a question about the migrated SD-WAN policy, why were they created, what is missing that needs to have these put in place?

More thoughts on this subject, there is no way of seeing what traffic is passed though the SD-WAN policy (no logs) or how much?

Yes i see no drops, too. You use the sd wan policy for the routing to the separate zone? Wan is not my problem.

LAN -> Wifi in separate zone doesnt work.

Hi Mario,

using the SD-WAN policy allows me to get the LAN to separate zone working, just you have to have a WAN entry.

Ian