This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

REDs in a Bridge

Hello All,

We have a Sophos XG running V18.3. We have several RED devices that are part of a bridge interface and each RED is setup in Standard/split mode. Everything works as expected, except for traffic to/from devices on the same bridge interface, specifically voip devices.

For this example, lets say the bridge interface is 10.10.10.1. The LAN on the XG is 10.20.10.1 and the PBX is 10.20.10.100. All clients behind their RED can talk to 10.20.10.100 no problem. They cannot talk to each other though, unless I put 10.10.10.0 as a split network in the configuration. This doesn't seem right to me. Why do I need to specify a route to the network the RED devices are bridged to?

Anyone else seen this?



This thread was automatically locked due to age.
  • So you need to put your Bridge network into the RED config? If you do not do it, do you see any traffic on the XG red interface? Because from my point of view, REDs will not consider to route the traffic to anything else then the Split network. 

    __________________________________________________________________________________________________________________

  • Yes, I have to put 10.10.10.0/24 in the split networks list. If it is not in there, traffic from one IP phone will make it to another IP phone, but some doesn't. Meaning, the phones will ring but no voice can be heard. It seems the RED doesn't properly route all traffic on the same subnet when multiple REDs are in a bridge, but some traffic is routed. It doesn't make since.

    No dropped packets show on the firewall either, since it seems the RED is just not routing all traffic on its own subnet. I don't have the time right now to setup Wireshark on each RED to see exactly what is being dropped, unfortunately. I was hoping someone could tell me if this is normal or not. I definitely shouldn't have to make a route for the same subnet the REDs are apart of, in the split networks, but what's normal in the rest of the networking world is not always what Sophos follows. That should be layer 2 traffic and shouldn't need a route.

  • Hello Michael,

    If you do a Packet Captreu from the GUI do you see anything related to IP_Spoof, when you haven't add the RED network in the Split network? 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello,

    No, I don't see any IP Spoof messages.