since two weeks, I use a Sophos XG as ma Home Router. It work's very good and my internet latency is very low since i switched from my old Asus Router to Sophos XG. I'm very happy to switched to Sophos XG.
But with one device I can not connect to the Internet. It's my Gruenbeck Water softener softliQ SD21. It will connect to the Grünbeck cloud with the Secure MQTT protocol on Port 8883.
I've tried some configurations. I tested different firewall configurations, analyzed them with the Log Viewer and the Diagnostic in the Web UI. The analysis with Wireshark didn't get me any further either. I am at a loss.Here is my configuration:
2. A linked NAT Rule (#1)
But I I get this result in the log viewer:
In the Wireshark trace you can see a TLS v1.2 Connection with a reply from the Gruebeck cloud, but this will not be forwarded to my device. Why?
Can anyone help me?
Hi, I think you will need a rule that allows traffic from LAN to LAN. Include WiFi as well when it is bridged to LAN.Regards,BF
What you could try is to disable the Appication classification and ATP for the rule in Question.
To do that, log in using the CLI go to option 4 and typ:
set ips ac_atp exception fwrules X (the X is the firewall rule ID)
And then try again.
Thank you for your tipp but i does not work on my case :(Same as before....
Thank you for the follow-up.
Not sure why your computer would be answering to the Helo, unless you have some routing issue, but I don't think you have two WAN address.
It seems like the 188.8.131.52 is asking for a certificate, in the Firewall for Web Filter for this computer, you are not using the Web Browser and/or DPI correct? Also try to bypass the IP from the SSL/TLS inspection rules.
That was the key clue. Thanks for the tip!!!
So now I've found the cause. Unfortunately, I have no idea how to fix it. The reason is the SSL / TLS engine. If I deactivate it in the SSL / TLS settings, my connection is established
Unfortunately only the complete shutdown of the SSL / TLs engine helps. I've already tried just to switch off the inspection:
I have also tried different rules with my device and / or the service in question. It doesn't help.Anyone else have an idea how I can turn off the SSL / Engine for this device?
https://community.sophos.com/xg-firewall/f/recommended-reads/118753/sophos-xg-firewall-v18-troubleshooting-problems-with-the-dpi-engineIt says there can be problems with IoT devices. :(
Have you tried using the Proxy instead of DPI for this device?
Yes, I think I've tried all possible configurations :(
Only, switching off "SSL/TLS engine" makes it working.....Strange is that after reenabling the "SSL/TLS enigine" it still works till my IoT device terminates the connection and tries to re-establish it.Does someone from Sophos support actually read the community posts, or do I have to open a support ticket? Can I do that at all if I am using the home version?
this forum is primarily a user to user support forum with Sophos staff assisting. No, as a home user you cannot raise a ticket.
So my hint "Possible the ssl/TLS-engine ... block parts of the traffic." seems to be correct.Try to add/build a SSL/TLS Exclusion rule containing "Don't decrypt" within SSL/TLSinspection rules.
This rule must be placed above the "Decrypt" rule
Sophos Partner since 2003If a post solves your question click the 'Verify Answer' link.
thanks for your tip, but I have a rule and it is not working
My decrypt rule is only for one device and not for the complete network...
There is no match at this rule ... try any/any as destination
I've changed, but it is not working:
Here you can see, that the rule matched: