Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 55329 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Home VLAN

NashBrydges

I am clearly missing something so I'm hoping someone here can help me out.

 

Here is the Sophos XG config (ignore GuestAP interface, it isn't in use):

Single VLAN interface using Port3.

This is the VLAN interface setup:

Here is the DHCP setup:

I am connecting a laptop directly into the physical port on the XG firewall for Port3 and manually assigning an IP address of 10.10.10.5. For some reason, I cannot ping Sophos XG firewall and have no access to the outside world.

Both Port3 and Port3.10 are in the LAN Zone and here is the Zone config:

When I leave the laptop in DHCP mode, it is assigned an IP in the 192.168.200.1/24 range and everything works as expected. But when manually assigned, nothing seems to work.

Here is my firewall rule:

What am I missing? This should work, correct?



This thread was automatically locked due to age.
  • 0 in reply to rrosson

    Thanks, that's how I understand it to work as well but I've rebooted the switch and it has since not allowed me access back in via GUI or SSH so I may have to wait until later today to try to regain access to look into this further.

  • 0 in reply to rrosson

    Hi 

     

    Finally got to resetting my switch and recovering from backup.

     

    I have my Sophos XG setup as you mention. VLAN is Port 1.20 (a VLAN from my existing LAN Port1). I've also setup a DHCP server in Sophos for this new Interface Port 1 Vlan 20.

    My switch is set with a single VLAN (20). Sophos XG is connected to Switch Port 3. That port is set to Untagged for "default" VLAN 1 and Tagged for VLAN20.

    My laptop is connected to switch port 8. Switch port 8 is set to "default" VLAN 1 as Excluded and Tagged for VLAN20.

    EDIT: Both Interface Port1 and Interface Port1.20 are assigned to the LAN Zone.

     

    No DHCP address is handed out. The laptop goes to self-assigned IP and there is no ping available from either 192.168.100.1 (VLAN1 Interface) or 10.10.10.1 (VLAN20 Interface).

     

    EDIT 2: If I assign IP manually to the laptop, I still can't ping the gateway (10.10.10.1). I can ping both 192.168.100.1 and 10.10.10.1 from any other computer on the network, but not the one assigned to the VLAN.

  • 0 in reply to NashBrydges

    Something is not making sense. Assuming that you do not have any sort of VLAN configuration setup on the computer. Can you please try the following:

    • ssh to your XG using admin:<your password>
    • select option 5, then option 3
    • run tcpdump -nvi Port1.20

    From your computer try to refresh DHCP and see if anything appears in your tcpdump?

    Do you have network definitions for your LAN zone or are you using "Any" for the network?

    Have you tested the ethernet cable you are using between switch port 3 and the computer?

    Which UBNT switch are using, Edgeswitch? or Unifi?

    Hopefully the above gets you closer to a resolution.

    -Ron

  • 0 in reply to NashBrydges

    "My laptop is connected to switch port 8. Switch port 8 is set to "default" VLAN 1 as Excluded and Tagged for VLAN20"

    Port 8 should be untagged as part of that vlan.

    Some setting in your switch is not correct, eg does it allow full flow though has it got a block on broadcasts? 

    Ian

  • 0 in reply to rrosson

    This is the result of the tcp dump screen after 2 disconnects and reconnects of the network cable. Nothing happens. Cable is good, tested on another computer just to make sure.

    The firewall rule for allowing HTTP/S, DNS...etc looks like this.

    I did not create a new zone when I created the VLAN.

    The initial problem is that the device doesn't get assigned an IP address at all from the new 10.10.10.1 DHCP server so there's not even a chance for it to communicate back to the firewall rules. I've tried manually assigning an IP in the range to no avail.

    Edgemax ES-48-500W config:

    Blue arrow = Sophos XG port

    Orange arrow = PC port with Excluded VLAN1 and Untagged VLAN20

    It's infiuriating because I assume the issue is with something I've messed up on my side but this all looks correct to me. I think my first step is trying to figure out why it's not getting assigned an IP at all.

    Definitely appreciate the help.

  • 0 in reply to NashBrydges

    Does the switch show any traffic on those ports?

    Ian

     

    Added a vlan to my XG and the Netgear JGS516PE without any real issues, just forgot I had locked one devices IP. VoIP devices now working over the VLAN while the remaining devices work through the physical connection.

  • 0

    Hi,

     

    First of all if you are connecting your laptop directly on port 3. it will consider the default VLAN.

    but you can also configure the VLAN on your laptop just for testing , refer the below link 

    https://www.startech.com/faq/networking_VLAN_tagging.

     

    Please check if you have configure the TRUNK port (which is connected on XG port 3) on switch OR not. 

     

    Hope this will help you.

  • 0

    Hi NashBrydges ,

    Please check the tcpdump from your device based on source address  of destination address. 

    Test

    Use the test site http://103.23.140.55

    console > tcpdump 'host 103.23.140.55

    The traffic incomming to the XG firewall  should be tagged with the correct VLAN ID. Based on the incomming traffic you could start working on it. You may can also create a VLAN Tagg on your windows ethernet adapter and test it.

  • 0 in reply to Nikhilesh Sompura

    Nikhilesh Sompura said:

    Please check if you have configure the TRUNK port (which is connected on XG port 3) on switch OR not. 

    Yes, confirmed.

     

    When the Edgemax switch is set to VLAN1 = U and VLAN20 = E for port 8, the laptop obtains the proper 192.168.100.X IP address from Sophos DHCP server.

    When the Edgemax switch is set to VLAN1 = E and VLAN20 = U for port 8, the laptop does not obtain the proper 10.10.10.X IP address from Sophos DHCP server.

  • 0 in reply to Aditya Patel

    Aditya Patel said:

    console > tcpdump 'host 103.23.140.55

     

    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel