Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 1827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can Successfully Traceroute from a VLAN subnet, but the subnet cannot use the internet

SinaOwolabi1

Hi!

Running an SSG330.


I have a strange situation and I am a bit at my wits end.
I have a subnet attached to a VLAN interface, which is applied on the Sophos LAN interface.
I have setup masquerading for this subnet to the SSG330's External interface.
The Sophos VLAN interface is meant to be the network gateway for devices within this subnet.
For some strange reason, devices on the subnet can traceroute successfully to internet destinations, but they cannot connect to the internet in any other way.
Am I missing a firewall rule, or is something else wrong?



This thread was automatically locked due to age.

  • Hi Sina,

    What do you see when someone "cannot connect to the internet"?  What do you learn by doing #1 in Rulz (last updated 2021-02-16)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Apologies for the late reply, had trouble with login.
    What I see when someone can't connect to the internet:

     Traceroute from the VLAN to internet which succeeds:

    traceroute google.com
    traceroute to google.com (216.58.223.206), 30 hops max, 60 byte packets
    1 10.11.0.254 (10.11.0.254) 0.468 ms 0.341 ms 0.453 ms
    2 62-173-32-49.rv.ipnxtelecoms.com (62.173.32.49) 1.161 ms 1.100 ms 1.041 ms
    3 pe-hq-lag.rv.ipnxtelecoms.com (62.173.34.225) 1.143 ms 1.276 ms 1.017 ms
    4 * * *
    5 41-184-56-214.rv.ipnxtelecoms.com (41.184.56.214) 1.469 ms 1.457 ms 1.412 ms
    6 74.125.50.116 (74.125.50.116) 6.668 ms 4.986 ms 4.932 ms
    7 74.125.244.113 (74.125.244.113) 2.435 ms 74.125.246.81 (74.125.246.81) 1.616 ms 1.802 ms
    8 172.253.76.173 (172.253.76.173) 2.947 ms 172.253.76.171 (172.253.76.171) 2.778 ms 172.253.76.173 (172.253.76.173) 2.995 ms
    9 los02s03-in-f14.1e100.net (216.58.223.206) 1.517 ms 1.460 ms 1.454 ms

    But  TCP traceroute falis:

    tcptraceroute yahoo.com 443
    traceroute to yahoo.com (98.137.11.163), 30 hops max, 60 byte packets
    1 10.11.0.254 (10.11.0.254) 0.550 ms 0.474 ms 0.461 ms
    2 * * *
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 * * *
    8 * * *
    9 * * *
    10 * * *
    11 * * *
    12 * *^C

  • in reply to SinaOwolabi1

    Do you see blocks in the firewall log when you do the 443 traceroute?  When you do the same from a device behind the UTM, what happens?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob!

    You're right there are blocks when I traceroute for that device's IP (its also behind the UTM, its gateway is UTM's eth0.11, a VLAN interface).
    This is really odd, because its been working for years before.
    What do I do?

    2021:08:31-11:55:43 qfw1 ulogd[5810]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.11" outitf="eth1" srcmac="52:54:00:4b:ee:bb" dstmac="7c:5a:1c:54:b9:04" srcip="10.11.0.45" dstip="98.137.11.163" proto="6" length="60" tos="0x00" prec="0x00" ttl="10" srcport="52871" dstport="443" tcpflags="SYN"
    2021:08:31-11:55:43 qfw1 ulogd[5810]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.11" outitf="eth1" srcmac="52:54:00:4b:ee:bb" dstmac="7c:5a:1c:54:b9:04" srcip="10.11.0.45" dstip="98.137.11.163" proto="6" length="60" tos="0x00" prec="0x00" ttl="9" srcport="58383" dstport="443" tcpflags="SYN"
    2021:08:31-11:55:43 qfw1 ulogd[5810]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.11" outitf="eth1" srcmac="52:54:00:4b:ee:bb" dstmac="7c:5a:1c:54:b9:04" srcip="10.11.0.45" dstip="98.137.11.163" proto="6" length="60" tos="0x00" prec="0x00" ttl="11" srcport="49796" dstport="443" tcpflags="SYN"
    2021:08:31-11:55:43 qfw1 ulogd[5810]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.11" outitf="eth1" srcmac="52:54:00:4b:ee:bb" dstmac="7c:5a:1c:54:b9:04" srcip="10.11.0.45" dstip="98.137.11.163" proto="6" length="60" tos="0x00" prec="0x00" ttl="10" srcport="44790" dstport="443" tcpflags="SYN"
    2021:08:31-11:55:43 qfw1 ulogd[5810]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.11" outitf="eth1" srcmac="52:54:00:4b:ee:bb" dstmac="7c:5a:1c:54:b9:04" srcip="10.11.0.45" dstip="98.137.11.163" proto="6" length="60" tos="0x00" prec="0x00" ttl="11" srcport="38443" dstport="443" tcpflags=

  • in reply to SinaOwolabi1

    I just created a blanket allow all firewall rule for the subnet.
    Seems fine for now.

    Thanks Bob!

Unfiltered HTML