Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 12513 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos transparent bridge mode not working. Wrong topology?

NikolaosBeglitis

First installation of Sophos 9.3 and I am trying to set it to transparent mode without success. I have a feeling this is more of a topology problem rather than down to Sophos but nevertheless here it is.

ADSL modem in the hallway connected to the main HP gigabit switch over a powerline adapter. Pretty much everything is on this switch one the same 192.168.10.0/24 subnet. Sophos is installed on a Supermicro Atom C2550 server with 4 ethernet interfaces. All 4 interfaces are patched on the switch. The 1st of the interfaces is on the 192.168.2.100 and one of the 2 interfaces of my workstation has 192.168.2.50. The other is on 192.168.15.0/24. From my workstation I can talk to Sophos via the Web frontend. Firewall rules added on Sophos as per the instructions (All/All/All). The bridge in Sophos is created using interfaces 2 and 3 with IP 192.168.15.6 and default gateway 192.168.10.2 (my ADSL modem/router). When I enable the inferface everything stops working and all the network lights in all the devices start blinking. I assume I am creating some sort of a loop. Any hints?

I am trying to replace a (great) Checkpoint Safe@Office 1000N with the Sophos/Supermicro due to Checkpoint pricing (and for the fun of it - this is for home use) and it would be good to at least get Sophos up and running in a basic configuration as quickly as possible since I am exceeding my 25 node limit in the Checkpoint. Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Your topology appears incorrected based on description.  In order to use bridging with the Sophos UTM, you will need a setup more in line with this:

    ADSL Modem -> Interface 2 [Sophos UTM] Interface 3 -> HP Switch -> internal devices

    If everything is one the 192.168.10.0/24, assign the bridge interface with an IP address on that same subnet.  You don't need to have the 192.168.2.100 or the 192.168.15.6 addresses on the Sophos UTM unless you want to have a separate interface and IP address range specifically for management. 

    Remember, for bridging, the idea is that all traffic to go through the Sophos UTM.  As such, it has to sit between the ADSL Modem and the network switch so that all traffic destined for the Internet is processed by the Sophos UTM.

  • 0 in reply to Euphrates

    Apologies, the IP is 192.168.10.6 and not 192.168.15.6. The 192.168.2.100 is just the management interface so it is immaterial. I can see why the loop is created. I will need to use VLAN tagging for the modem/external bridge interface to keep them separate from the rest and avoid the loop. It is not possible to physically connect the modem to the external bridge interface otherwise given that the powerlines get in the way.

  • 0 in reply to NikolaosBeglitis

    I take it you are using Powerline technology to connect the ADSL modem to the switch, correct.  If that is the case, it should be:

    ADSL model -> Ethernet Cable -> Powerline Adapter -> Power Lines -> Powerline Adapter -> Ethernet Cable -> HP Switch

    Is the above correct?  If so, then just connect the Ethernet Cable that goes into the HP switch into the external bridge interface and the internal bridge interface into the HP Switch.  If the above is how you are set up then it will be easier to configure and troubleshoot in the event of problems.  If the above is not correct then what is your setup and what is the physical location of the pieces?

  • 0 in reply to Euphrates

    Thanks - the only problem is that these are not the only devices talking to each other via powerline. The HP switch is managed so from a VLAN perspective this should be fine, I need to see how I can do VLAN tagging on the powerline adapter (TP-Link AV1200 3-port). This way the modem will be on the powerline port with VLAN tag 5 (for example) and the external bridge interface of the UTM will be the only one on the same VLAN. I think this would solve the issue with the topology from a logical perspective because physically everything is on the same wire. The powerlines are more like a hub topology when they talk to each other rather than 1-1.

  • 0 in reply to NikolaosBeglitis

    OK, now I see.  That makes things slightly difficult.  Well, is it possible to place the Sophos UTM by the ADSL modem and then direct connect the it to the Sophos UTM and then the Sophos UTM to the first Powerline adapter that connects into the network? 

    If not, then, yes, you likely option is going to be VLANs and that is going to depend heavily on how the Powerline networking, if it supports it, processes tagged vs untagged traffic, i.e can you manually select what VLAN untagged traffic is on with the Powerline networking and/or can you select the host devices to tag their traffic to the VLAN you need.

Reply
  • 0 in reply to NikolaosBeglitis

    OK, now I see.  That makes things slightly difficult.  Well, is it possible to place the Sophos UTM by the ADSL modem and then direct connect the it to the Sophos UTM and then the Sophos UTM to the first Powerline adapter that connects into the network? 

    If not, then, yes, you likely option is going to be VLANs and that is going to depend heavily on how the Powerline networking, if it supports it, processes tagged vs untagged traffic, i.e can you manually select what VLAN untagged traffic is on with the Powerline networking and/or can you select the host devices to tag their traffic to the VLAN you need.

Children
No Data
Unfiltered HTML