Hi Everyone,
My company recently put a Sophos XG Virtual Appliance on our ESXI host between the LAN and our MikroTik routerboard in bridge mode. So essentially all the traffic from our LAN has to pass through the Firewall first.
Now my problem comes in where I am running OSPF on our main Mikrotik routerboard and I have a Lab on the LAN that is also running OSPF. I wanted to distribute routes to my Lab Mikrotiks via OSPF but I realised that all of my multicast traffic between main Mikrotik routerboard and my Lab mikrotiks on the LAN is being dropped.
I have tried many combinations of rules in order to try and accept the OSPF multicast traffic on 224.0.0.5 but none of my rules are accepting any of the traffic no matter how specific I get. They are all getting dropped by the default drop all rule id 0.
I have added the multicast address as a host and set it as the destination network/address, selected any interfaces and any source subnets and the rule still doesn't accept the traffic.
Am I perhaps misunderstanding how the XG Firewall rules work?
Here is an example of one of the packets being dropped:
Port B: WAN
Port A: LAN
Src mac address: Mikrotik on the Lan trying to push out OSPF multicast broadcast
2018-07-24 10:13:04 0101021 proto 89:
0x0000: 45c0 0044 2143 0000 0159 ad55 0a02 0002 E..D!C...Y.U....
0x0010: e000 0005 0201 0030 0aff ff03 0000 0000 .......0........
0x0020: d48e 0000 0000 0000 0000 0000 ffff ff00 ................
0x0030: 000a 0201 0000 0028 0a02 0002 0a02 0001 .......(........
0x0040: 0aff ff02 ....
Date=2018-07-24 Time=10:13:04 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev=PortB inzone_id=1 outzone_id=4 source_mac=00:0c:42:c4:54:54 dest_mac=01:00:5e:00:00:05 l3_protocol=IP source_ip=10.2.0.2 dest_ip=224.0.0.5 l4_protocol=89 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=16 connid=847535008 masterid=0 status=392 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
This thread was automatically locked due to age.
