Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 11584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing between Interfaces not working as expected - trying to split my Networks in Subnets

MarkusArndt

I have a simple Problem, that drives me crazy for some days. I can't get simple subnet routing to work!
Is there some extra config required to enable subnet routing from LAN-Port to second LAN Port?

Here my Setup:
Sophos XG installed (virtual in exsi) in Routing-Mode with 5 physical Network-Adapters:

Port 1 - LAN - with multiple virtual Servers in Range 192.168.178.X/24
Port 2 - WAN - physical connected to FritzBox, that holds a VSDL-Connection to ISP, 192.168.177.x/24

So I have used it for a longer time with success and all IP-Clients obtain their Adresses vom DHCP in LAN 1.

The new idea is, to split all IP-Clients in three new subnets. (One per Family in my House, Father, sister and me :-)
So I created 3 new Zones

Port 3 - A - 192.168.1.254/24
Port 4 - B - 192.168.2.254/24
Port 5 - C - 192.168.3.254/24

with physical Uplinks to separate Switches with the devices pro Family, created 3 DHCP-Server and so on.

The Clients should have access to Internet (WAN) and some Services on my own Servers in LAN.
So I created some Network-Rules "all subnets to wan - allow all with NAT", "all subnets to lan - allow all without NAT", …

My Clients are getting a dhcp adress with correct Gateway from XG in correct subnet, they have internet-Connection to wan but when I open a DOS-Box or Browser and try to Access my Servers in LAN-Zone, the Connection Fails with timeout. (f.Example "telnet 192.168.178.5 80" or "ping 192.168.178.5, ...) 

But when I check the Firewall-Rules in the Tool in the Webinterface from XG, I get the message, that the traffic is allowed.
(for Example simulate a Client in Port 3 = 192.168.1.100 and connect to a Target in Port 1 LAN = 192.168.178.5 the XG shows the korrekt network Rule-ID and allows the traffic)

So my Problem are not the Firewall-Rules. When I enable NAT from LAN to LAN in this Firewall-Rule, it works as expected. Without NAT I can't get any Connetions. But I won't use NAT because 3x NAT is to much and I can't connect from Client to Client, when there is NAT between subnets.

(The Problem occours with 17.v6, v8 and I have reinstalled a second Instance from XG for testing from Scratch in a simple config - without luck)
(Special Routing config like static Routing, RIP, … is not required, because the XG knows all subnets directly at ther local interfaces, or not?)

What can I do?



This thread was automatically locked due to age.
Parents
  • 0

    Are Port3, Port4, Port5 all in the same zone "LAN" or did you create other zone names for them? Can you please provide a screenshot of your firewall rule(s) pertaining to your use case above. Picture(s) are worth a thousand words.

    I have multiple subnets and zones along with three SSL VPN Site-2Site Links (family members geographically dispersed) and have no NAT in place to communicate to them.

     

    -Ron

  • 0 in reply to rrosson

    I created muliple Zones, because they should have separate IPs. But all new Zones are from Type "LAN":

     

     

    So it looks in esxi:

     

    For test I created a "Allow all from everywhere to everywhere" (without NAT)

     

     

    I testet the Rule with XG - the Packets should pass the Firewall:

     

     

    Real Test from Machine in Client-Net - Access on Server IP Port 80 - no Connection:

    (Gateway is 192.168.1.254 = Sophos Interface, IP came per DHCP)

     

     

    Curious:

    I can Ping 192.168.178.1 = esxi and 192.168.178.254 = Sophos Gateway in Server Network - but no other Machine in Server Network.

     

  • 0 in reply to MarkusArndt

    Sorry it took so long. Had to use google translate along with my firewall to understand what I was looking at. (I do not know german).

     

    A couple of things:

    • Your WAN port with the Fritzbox is causing a double NAT. This could potentially break some things. Can the Fritzbox be put into Bridge mode?
    • Start simple by defining IP networks and use the objects instead of Any.
      • Since the firewall works from a top down scenario create a rule at the top with Markus Zone and Markus Subnet for source with destination LAN Zone and LAN Subnet with Service Any. Only have logging enabled.
      • Test connectivity
    • If it works add additional zones to the destinations with their subnets.

     

    You never mentioned if all of your zones are able to get out to the internet via the WAN and double NAT.

    Hope this helps

    -Ron

  • 0 in reply to rrosson

    It was not very smart to attach the Screnshots in german - sorry for that!!

    Double-Nat:
    I have to live a longer time with this config, because the Fritzbox can't act as Bridge. The box hosts additional Services like DECT and VOIP and want to connect to the internet itself. Sophos XG is configured as DMZ/Exposed Host, so it's no Problem to reach my Network from Internet. (VPN, WebServer …)
    I expect a little bit of extra security from double nat, because XG resists virtual in esxi and attacks on Network Level requires to hack Fritzbox and Esxi/XG together.

     

    The Clients in my new Subnets have Internet-Access over their local XG-Gateway in subnet = 192.168.(1-3).254.
    They have Problems only to reach my local Servers in LAN = 192.168.178.x.

    I tried about 3 days to build a rule that allows this traffic in all combinations. I created IP-Hosts and Subnets and tried to use them instead of Objects like #PORTx or "ALL". The selftest for the rules shows every time, that the traffic is allowed and and will pass the Firewall with correct rule-id - but it doesn't work on real Client in subnet!

    The only working config is to activate tripple-nat in firewall-rule and that's stupid, because I want to use routing in my own network.

    The Live-Log of Firewall-Rules doesn't show any denied packets, when I filter for source and Destination-IP!

    Are there any tricks to check the funktionality on the xg itself, console for example? I think it's not solvable with changes in firewall-rules …

    (Next steps could be reconfig as VLAN-tagged subnets, but then I limit the bandwith over one physical Uplink or I can try to create a new vSwitch in exsi but this is all try and error.)

     

  • 0 in reply to MarkusArndt

    MarkusArndt said:

    It was not very smart to attach the Screnshots in german - sorry for that!!

    No worries.  :)

    MarkusArndt said:

    Double-Nat:
    I have to live a longer time with this config, because the Fritzbox can't act as Bridge. The box hosts additional Services like DECT and VOIP and want to connect to the internet itself. Sophos XG is configured as DMZ/Exposed Host, so it's no Problem to reach my Network from Internet. (VPN, WebServer …)
    I expect a little bit of extra security from double nat, because XG resists virtual in esxi and attacks on Network Level requires to hack Fritzbox and Esxi/XG together.

     

    Ok, just wanted to make sure we are all on the same page.

    MarkusArndt said:

    The Clients in my new Subnets have Internet-Access over their local XG-Gateway in subnet = 192.168.(1-3).254.

    Ok, that means that the gateway and DNS are working properly for those subnets/zones

    MarkusArndt said:

    They have Problems only to reach my local Servers in LAN = 192.168.178.x.

    I assume you have confirmed that you have the proper gateway set on your local servers and have tested it. 

    MarkusArndt said:

    The only working config is to activate tripple-nat in firewall-rule and that's stupid, because I want to use routing in my own network.

    I agree that would be absurd.

    MarkusArndt said:

    The Live-Log of Firewall-Rules doesn't show any denied packets, when I filter for source and Destination-IP!

    Are there any tricks to check the funktionality on the xg itself, console for example? I think it's not solvable with changes in firewall-rules …

     
    Yes. SSH in to the firewall and select option 5 (Device Management), then select option 3 (Advanced Shell). From here you can run tcpdump. With what you are seeing in the GUI (Log Viewer, Test Policy, etc) I can think of only two things:
    • A vswitch mis-configuration in ESXi.
    • Typo in one of the network settings:
      • subnet mask
      • gateway

    Hope this gives you some ideas and helps.

    -Ron

  • 0 in reply to rrosson

    I let the whole thing rest for a while. After upgrading > SFOS 17.1.2 the problem was fixed without me doing anything or changing the configuration. The routing on the older firmware versions was disturbed by a bug, at least in my environment.
    Thanks for your help.

Reply
  • 0 in reply to rrosson

    I let the whole thing rest for a while. After upgrading > SFOS 17.1.2 the problem was fixed without me doing anything or changing the configuration. The routing on the older firmware versions was disturbed by a bug, at least in my environment.
    Thanks for your help.

Children
No Data