Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 12843 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bugs in VLAN implementation?

Squonk

Hello

I think that there is a misbehaviour concerning VLANs on the XG Platform.

The scenario is:
SFOS 17.0.5 MR5 installed.
Cisco Switch with 2 VLANs (Trunk Port 90,100) connected to the XG LAN Port (Port1).

Port 1 (LAN) 10.255.0.2 /32 --> Dummy Adress, field can't be empty
VLAN 1.90: 10.0.1.1 /24 and DHCP 10.0.1.245-10.0.1.254
VLAN 1.100: 10.0.100.1 /24

Port 2 (WAN) 10.0.9.2 /24

Problem 1:
VLAN 90 has a Sonos System, Mobile Phones and a Laptop connected. Mixed with
Static and DHCP addresses. All devices are able to connect to the Internet
and the Mobile Phones play webradio to the Sonos System. So far so good.

Obviously the DHCP server assigns addresses to the devices, but in the DHCP
configuration there are no IP4 leases listed at all.

Problem 2:
Using a Firewall Rule my attempt was to access devices in VLAN 100 from VLAN 90
but I don't get it working the way I'd like to.

Source Zone: LAN
Source Network and Devices: #Port1.90
Destination Zone: LAN
Destination Networks: #Port 1.100
Services: Any

The scenario above doesn't work at all.

Identical behaviour is when I want to limit the traffic to WAN to be from VLAN 90
only (i.e. by modifying the Sophos Standard Rule).

Source Zone: LAN
Source Network and Devices: #Port1.90
Destination Zone: WAN
Destination Networks: Any
Services: Any

The scenario above works only by setting "Source Network and Devices" to "Any".
Otherwiese no device on VLAN 90 can connect to the Internet.

Does anyone have an idea or do I misunderstand the VLAN concept on Sopos?
Thanks for any help.

 



This thread was automatically locked due to age.
  • 0

    Hi,

    from what I can see you have hit one of the limitations in the current version of XG (and all previous versions) you cannot use the 1.100 or any VLAN in the devices field. Try using the IP address range for the VLAN and see if that helps. I haven't tried to build a vlan in mr-5.

    One day somewhere in the future this will be fixed along with port renaming. No one will supply a definite date or version.

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_va

    thank you for the workaround. I'm gonna try it out and hope that it'll work.

    I'd dislike to go back to my old non-VLAN configuration. Hoping that the

    (soon) future brings a fix for this...

     

    squonk

  • 0 in reply to Squonk

    Hi,

    I went back to a non VLAN environment and used clientless users to provide seperation for internet access. Depends on how many devices you have n your network whether it is a practical solution, I have about 20 or so active and an allowance for another 8 for devices that have both wifi and LAN connections.

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk

    I created two IP Ranges:
    VL90-IPs 10.0.1.1 - 10.0.1.254
    VL100-IPs 10.0.100.1 - 10.0.100.254

    This firewall rule works now - Workaround successful.

    Source Zone: LAN
    Source Network and Devices: VL90-IPs
    Destination Zone: WAN
    Destination Networks: Any
    Services: Any

    However this guy here still refuses working...

    Source Zone: LAN
    Source Network and Devices: VL90-IPs
    Destination Zone: LAN
    Destination Networks: VL100-IPs
    Services: Any

    At least half success :-)

    I keep testing...

     

     

  • 0 in reply to Squonk

    Hi,

    Check #1 in my troubleshooting guide? If XG forwards the packet to VLAN then check the switch if XG drops the packet, show us the log lines. 

    Thanks

  • 0 in reply to sachingurung

    This is the Log line showing the event in question:

    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="129" fw_rule_id="5" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1.90" out_interface="Port1.100" src_mac="00: 0:00: 0:00: 0" src_ip="10.0.1.10" src_country="R1" dst_ip="10.0.100.34" dst_country="R1" protocol="TCP" src_port="62486" dst_port="80" packets_sent="3" packets_received="0" bytes_sent="156" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="2860622240" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

     

    What catched my attention was a source mac address of "00: 0:00: 0:00: 0". Seems rather strange to me.

  • 0 in reply to Squonk

    Hi, 

    The logs don't show any drops. Do a tracert to the destination IP address and check which hop causes the drop. Is it the XG firewall?

    Thanks

  • 0 in reply to sachingurung

    Hi

    well, I'm afraid that there isn't that much to trace, since the chain is pretty straight layer 2.

    Workstation --> Switch 1 Access Port --> Switch 1 Trunk Port --> Switch 2 Trunk Port --> Switch 2 Trunk Port --> Trunk to Sophos XG

    Anyway...this is what is to be expected: 10.0.1.1 is the IP of Port1.90 interface on the XG.

    1 <1 ms <1 ms <1 ms 10.0.1.1
    2 * * * Request timed out

    So, yes, most likely it is the firewall.

  • 0 in reply to Squonk

    I will PM you for further investigation.

    Thanks