Sophos transparent bridge mode not working. Wrong topology?

Your topology appears incorrected based on description.  In order to use bridging with the Sophos UTM, you will need a setup more in line with this:

ADSL Modem -> Interface 2 [Sophos UTM] Interface 3 -> HP Switch -> internal devices

If everything is one the 192.168.10.0/24, assign the bridge interface with an IP address on that same subnet.  You don't need to have the 192.168.2.100 or the 192.168.15.6 addresses on the Sophos UTM unless you want to have a separate interface and IP address range specifically for management. 

Remember, for bridging, the idea is that all traffic to go through the Sophos UTM.  As such, it has to sit between the ADSL Modem and the network switch so that all traffic destined for the Internet is processed by the Sophos UTM.

Apologies, the IP is 192.168.10.6 and not 192.168.15.6. The 192.168.2.100 is just the management interface so it is immaterial. I can see why the loop is created. I will need to use VLAN tagging for the modem/external bridge interface to keep them separate from the rest and avoid the loop. It is not possible to physically connect the modem to the external bridge interface otherwise given that the powerlines get in the way.

I take it you are using Powerline technology to connect the ADSL modem to the switch, correct.  If that is the case, it should be:

ADSL model -> Ethernet Cable -> Powerline Adapter -> Power Lines -> Powerline Adapter -> Ethernet Cable -> HP Switch

Is the above correct?  If so, then just connect the Ethernet Cable that goes into the HP switch into the external bridge interface and the internal bridge interface into the HP Switch.  If the above is how you are set up then it will be easier to configure and troubleshoot in the event of problems.  If the above is not correct then what is your setup and what is the physical location of the pieces?

I take it you are using Powerline technology to connect the ADSL modem to the switch, correct.  If that is the case, it should be:

ADSL model -> Ethernet Cable -> Powerline Adapter -> Power Lines -> Powerline Adapter -> Ethernet Cable -> HP Switch

Is the above correct?  If so, then just connect the Ethernet Cable that goes into the HP switch into the external bridge interface and the internal bridge interface into the HP Switch.  If the above is how you are set up then it will be easier to configure and troubleshoot in the event of problems.  If the above is not correct then what is your setup and what is the physical location of the pieces?

Thanks - the only problem is that these are not the only devices talking to each other via powerline. The HP switch is managed so from a VLAN perspective this should be fine, I need to see how I can do VLAN tagging on the powerline adapter (TP-Link AV1200 3-port). This way the modem will be on the powerline port with VLAN tag 5 (for example) and the external bridge interface of the UTM will be the only one on the same VLAN. I think this would solve the issue with the topology from a logical perspective because physically everything is on the same wire. The powerlines are more like a hub topology when they talk to each other rather than 1-1.

OK, now I see.  That makes things slightly difficult.  Well, is it possible to place the Sophos UTM by the ADSL modem and then direct connect the it to the Sophos UTM and then the Sophos UTM to the first Powerline adapter that connects into the network? 

If not, then, yes, you likely option is going to be VLANs and that is going to depend heavily on how the Powerline networking, if it supports it, processes tagged vs untagged traffic, i.e can you manually select what VLAN untagged traffic is on with the Powerline networking and/or can you select the host devices to tag their traffic to the VLAN you need.

Hi, Nikolaos, and welcome to the UTM Community!

"All 4 interfaces are patched on the switch." - I'm not following the description of your topology, but if you have two Interfaces in the same Ethernet segment, you will have routing problems.

Hi, thanks for your replies, much appreciated. Let me revisit this. I modified the topology a bit by putting different powerlines on different networks. This way I avoid the problem of all powerlines in the house talking to each other. Now the powerline with the modem only talks to the powerline that is connected to a small 5 port Netgear managed switch. The switch does not serve a material purpose but let's say that does put the powerline on the correct VLAN. Then the uplink of this switch goes to the main switch (the HP ProCurve) on which the external interface of the Sophos is patched on the same VLAN. This avoids having loops since the VLANs keep things separate. 

Stepping back a bit and forgetting about the powerlines and the VLANs consider the case where there is only one subnet, 192.168.10.0/24 where all the local machines are on. This is a home set-up so everything is on this subnet. From the Nest thermostat to my 2 x 1U Supermicro XenServers and all the networking equipment including the modem/router which acts as my default gateway. The modem/router is on 192.168.10.2. Everything on this subnet ends up on way or another on the HP switch. Say Sophos hasn't been introduced yet and now it is time to do so.

1U Supermicro with an Atom Avoton C2550F with 4 LAN interfaces. 1 interface patched on the default VLAN of the HP, say no VLAN configuration on the switch yet, but on the default Sophos 192.168.2.100 (192.168.2.0/24 subnet). This is the management interface. No router in between .2.0/24 and .10.0/24 so the two subnets can't talk to each other. My workstation has 2 LAN interfaces, one on .15.0 and the other on .2.0. So from my workstation I can talk to both my LAN and the new Sophos. So now the configuration for the transparent bridge begins. I think the documentation is lacking at this point because it doesn't say anything about how the other devices in this vanilla configuration should be re-configured. According to the documentation I patch on the switch interfaces 2 and 3 of the Sophos, I create the firewall Allow Any->Any rule and I create the bridge interface. Based on the above:

1. What IP should this bridged interface have?

2. What subnet should I put my router on?

The documentation makes it sound as if I can just leave the router as it is but observing the screenshot in http://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-9-3-using-full-transparent-mode/ I feel I need to actually take the router to a different subnet, say 192.168.1.1, create a bridge in the Sophos with the internal being 192.168.10.2 (the current gateway) and the external being 192.168.1.2. Is that reasonable? Does this make sense?

Again many thanks!

Some points regarding bridging interfaces in Sophos UTM:

1 - There is only 1 ip addressed assigned to the bridge but two physical interfaces assigned to the bridge.

2 - You HAVE to place it in-line between your firewall/router that is connected to the Internet and your network.  You can do this logically with VLAN trickery or physically.

3 -  For the sake of simplicity, use the lowest numbered port as the external-facing port (that would connect to the firewall/router) and the other bridged port as the internal-facing port (connecting to the network switch).

With that, based on what you have written above try the following:

1 - Configure interface 2 with an ip address on the 192.168.10.xxx (do NOT use what your current default gateway as the ip address of this interface, that stays on the router/firewall) that you are currently using (I believe your DSL modem).  Configure the subnet mask and default gateway (whatever it currently is now for your network).

2 - Set the type to "Ethernet Bridge" and add interface 3 (interface 2 should already be assigned).  This will bridge the two interfaces together.

3 - Add the required Any -> Any -> Any rules per the document you linked.

4 - Next, remove the Netgear 5-port switch (based on your information, it only connect to the powerline that goes to the modem and your primary HP Pro-Curve switch).

5 - Place the Sophos UTM in it's place plugging port 2 of the UTM into the cable that goes to the powerline that goes to the modem.  Plug port 3 of the UTM into the cable that goes to the HP Pro-Curve switch.

6 - Test basic network connectivity to your default gateway (i.e. modem/router device - 192.168.10.2), the Sophos UTM (192.168.10.xxx), your HP Pro-Curve (I assume it has an IP address as well).  Test Internet access. Test utilizing the various security services, i.e. Web Proxy/Content Filter.