Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 55343 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Home VLAN

NashBrydges

I am clearly missing something so I'm hoping someone here can help me out.

 

Here is the Sophos XG config (ignore GuestAP interface, it isn't in use):

Single VLAN interface using Port3.

This is the VLAN interface setup:

Here is the DHCP setup:

I am connecting a laptop directly into the physical port on the XG firewall for Port3 and manually assigning an IP address of 10.10.10.5. For some reason, I cannot ping Sophos XG firewall and have no access to the outside world.

Both Port3 and Port3.10 are in the LAN Zone and here is the Zone config:

When I leave the laptop in DHCP mode, it is assigned an IP in the 192.168.200.1/24 range and everything works as expected. But when manually assigned, nothing seems to work.

Here is my firewall rule:

What am I missing? This should work, correct?



This thread was automatically locked due to age.
Parents
  • 0

    Very simple, you do not have a VLAN configured on your PC. You would need a managed switch with tagged and untagged ports.

    Ian

  • 0 in reply to rfcat_vk

    Sorry, should have seen that. Been trying to get this VLAN to work for over a day now.

    Here is the Ubiquiti switch config:

    Switch Port 3 = Sophos XG

    Switch Port 8 = Laptop

    Still no traffic allowed and no DHCP assignment.

  • 0 in reply to NashBrydges

    Hi Nash,

    I don't see a gateway assigned, but that doesn't affect the DHCP requests. Does the switch have any protocol functions?

    If you plug the PC into say port 8 which should be part of vlan 1 what do you get for an IP address?

    Ian

    added info

    Your configuration shows 3.10, should now be 3.20

  • 0 in reply to rfcat_vk

    The laptop is currently plugged into Switch Port 8.

    When I change the switch settings to this, I get assigned an IP in the 192.168.100.X range which is correct for the standard default DHCP server for Port 1 on Sophos.

    As soon as I exclude Switch Port 8 from VLAN1, DHCP fails to assign an IP for the 10.10.10.X range. Since the port is tagged for VLAN20, I expect it to assign an IP in the 10.10.10.X range but even with a manual IP assignment, no internet connectivity.

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    I don't see a gateway assigned

    By the way, the DHCP setup uses Static IP range that I've assigned during setup and Gateway is disabled by default in that setup. When creating the VLAN20, I selected to use the interface IP as Gateway. This is how all instructions I've seen so far indicated setup should be.

  • 0 in reply to NashBrydges

    Laptop should connected to untagged port and XG to tagged port vlan20.

    I know this is the simple solution but please try restarting the XG.

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    added info

    Your configuration shows 3.10, should now be 3.20

     
    Yeah sorry, I had to change my config a bit because Port 3 is normally assigned to my teenaged son. While he's asleep I can use it to test but now thet he's using the computer, had to revert to...
     
    - Port 1.20 VLAN
    - DHCP changed accordingly as well
  • 0 in reply to NashBrydges

    I am missing something. Tomorrow when my home is a sleep I will add a vlan to my network. Then update this thread.

    Ian

  • 0 in reply to NashBrydges

      I assume you are using the XG for your DHCP server. If this is the case do you have a DHCP server setup for VLAN20 and the Port(x).20 interface?

    With Sophos XG and UNBT switches using VLANS check to make sure that Port(x) is plugged into your UBNT switch and the switch port is configured for VLAN1 {U} (Untagged) and VLAN20 {T} (tagged). The switch ports that PC's will connect directly to via ethernet should be configured with all VLANs set to {E} (exclude) and VLAN20 on that port set to {U}(untagged).

    Now if you are using a UBNT access point with multiple SSID's tied to VLANs the configuration of the port the UBNT AP is plugged into should be configured as follows:

    • VLAN1 {U}
    • VLAN20 {T}
    • VLAN30 {T}

    VLAN20 and VLAN30 are just examples but hopefully you follow the logic.

     

    Hope this helps.

    -Ron

  • 0 in reply to rrosson

    Thanks, that's how I understand it to work as well but I've rebooted the switch and it has since not allowed me access back in via GUI or SSH so I may have to wait until later today to try to regain access to look into this further.

  • 0 in reply to rrosson

    Hi 

     

    Finally got to resetting my switch and recovering from backup.

     

    I have my Sophos XG setup as you mention. VLAN is Port 1.20 (a VLAN from my existing LAN Port1). I've also setup a DHCP server in Sophos for this new Interface Port 1 Vlan 20.

    My switch is set with a single VLAN (20). Sophos XG is connected to Switch Port 3. That port is set to Untagged for "default" VLAN 1 and Tagged for VLAN20.

    My laptop is connected to switch port 8. Switch port 8 is set to "default" VLAN 1 as Excluded and Tagged for VLAN20.

    EDIT: Both Interface Port1 and Interface Port1.20 are assigned to the LAN Zone.

     

    No DHCP address is handed out. The laptop goes to self-assigned IP and there is no ping available from either 192.168.100.1 (VLAN1 Interface) or 10.10.10.1 (VLAN20 Interface).

     

    EDIT 2: If I assign IP manually to the laptop, I still can't ping the gateway (10.10.10.1). I can ping both 192.168.100.1 and 10.10.10.1 from any other computer on the network, but not the one assigned to the VLAN.

  • 0 in reply to NashBrydges

    Something is not making sense. Assuming that you do not have any sort of VLAN configuration setup on the computer. Can you please try the following:

    • ssh to your XG using admin:<your password>
    • select option 5, then option 3
    • run tcpdump -nvi Port1.20

    From your computer try to refresh DHCP and see if anything appears in your tcpdump?

    Do you have network definitions for your LAN zone or are you using "Any" for the network?

    Have you tested the ethernet cable you are using between switch port 3 and the computer?

    Which UBNT switch are using, Edgeswitch? or Unifi?

    Hopefully the above gets you closer to a resolution.

    -Ron

Reply
  • 0 in reply to NashBrydges

    Something is not making sense. Assuming that you do not have any sort of VLAN configuration setup on the computer. Can you please try the following:

    • ssh to your XG using admin:<your password>
    • select option 5, then option 3
    • run tcpdump -nvi Port1.20

    From your computer try to refresh DHCP and see if anything appears in your tcpdump?

    Do you have network definitions for your LAN zone or are you using "Any" for the network?

    Have you tested the ethernet cable you are using between switch port 3 and the computer?

    Which UBNT switch are using, Edgeswitch? or Unifi?

    Hopefully the above gets you closer to a resolution.

    -Ron

Children
  • 0 in reply to rrosson

    This is the result of the tcp dump screen after 2 disconnects and reconnects of the network cable. Nothing happens. Cable is good, tested on another computer just to make sure.

    The firewall rule for allowing HTTP/S, DNS...etc looks like this.

    I did not create a new zone when I created the VLAN.

    The initial problem is that the device doesn't get assigned an IP address at all from the new 10.10.10.1 DHCP server so there's not even a chance for it to communicate back to the firewall rules. I've tried manually assigning an IP in the range to no avail.

    Edgemax ES-48-500W config:

    Blue arrow = Sophos XG port

    Orange arrow = PC port with Excluded VLAN1 and Untagged VLAN20

    It's infiuriating because I assume the issue is with something I've messed up on my side but this all looks correct to me. I think my first step is trying to figure out why it's not getting assigned an IP at all.

    Definitely appreciate the help.

  • 0 in reply to NashBrydges

    Does the switch show any traffic on those ports?

    Ian

     

    Added a vlan to my XG and the Netgear JGS516PE without any real issues, just forgot I had locked one devices IP. VoIP devices now working over the VLAN while the remaining devices work through the physical connection.