Not able to pass traffic between VLANs

Is ‘Ping’ enabled for LAN in Local Service ACLs on the ‘Administration’ page under the ‘Device Access’ tab? It should be enabled by default, but just another thing to possibly check if you can’t ping.

Your firewall rule seems fine. I just setup mine like yours and I’m able to ping from my untagged LAN to VLAN with no issues.

The rules and the network definitions seems ok. I have mine setup like this with one consolidated rule (not 2).

1. From on of the IP's on VLAN1 - are you able to ping the VLAN2 gateway IP address ? .
2. Confirm you are pinging from the local machine and not through SSL VPN

Yup, pings are enabled

1. I'm able to hit the other vlans gateway IPs fine from either end. Also from the firewall I can ping 192.168.60.x IP addresses if I choose PortA.60 as the source.

2. Haven't even installed the VPN on the machines I'm using, just my phone.

Are your end devices blocking the ping? An antivirus program on it perhaps ?

Create a new rule place on top Source LAN; Source Any. Destination Any ; Source Any. Disable match known users and apply no policy for IPS

Yeah, I've got multiple devices on each end and they can all see each other and up until I try to get passed gateway on the other side.

Added that rule with no luck. It did kill my wan since it's higher than my LAN->WAN NAT rule so disabled after testing. But I guess that rules out the firewall being the cause? Also I did route -n from the console and everything looks good there. 

I was guessing I was doing something wrong with the firewall but if you say it looks good then I imagine it must be. This is such a basic config. It's hosted on esx going into a cisco sg200. Let me go over all that config again and see if somethings wrong there.

Adding on just to make sure this makes sense. I've got sophos xg in a vm, with the LAN/PortA portgroup set to vlan 4095/VGT so it esx doesn't strip the vlan tags. That gets passed to the Cisco SG200 L2 switch with a trunk port with VLAN 60 tagged and untagged going to vlan 1 / the rest of my lan.

As a workaround this would work in your scenario.

One last thing - Create a new NAT rule and enable that in the new firewall rule (this should keep your wan alive).  

So create a FW rule - place on top

Source LAN service Any

Destination LAN service Any

Enable Nat 

Awesome, that did it. I didn't realize you'd need to use NAT between 2 local vlans. 

Both sides see eachother fine now with this as my top rule.

Ha, I was going to suggest turning NAT off if it was on.

That's strange though - why would you need NAT between two local networks? My firewall rule that allows traffic to pass between an untagged (local) network and guest (VLAN) network does not use NAT and it works fine. This is on a bare metal install of Sophos XG.

Yeah, very strange. And now of course if I log into devices on the other vlan it just shows the IP address of the router in the log. I'm still going to keep playing with it more and see if I can figure out better what's going on. Maybe there's still something in the switch or esx I'm missing. Thanks for all your help Shred & AB5g.

Agreed - you don't need a NAT between two local networks if the routing is set up properly. When he tries to access resources in the other VLAN they will show the source to the Natted IP and not the actual source. It works for me without the NAT rule.

Alex_B can you share more information regarding switch that is managing the VLANs?

Is it a physical or virtual switch?

Thanks

Alex_B can you share more information regarding switch that is managing the VLANs?

Is it a physical or virtual switch?

Thanks