Sophos XG Wake On LAN

Question

Hi all, 
 we are trying to get Wake On LAN working, but magic packets seem to be blocked: 
 2018-11-27 10:42:57 0103021 IP 192.168.31.51.52541 > 192.168.30.191.7777 : proto UDP: packet len: 110 checksum : 46636 
 0x0000: 4500 0082 2384 0000 8011 57a4 c0a8 1f33 E...#.....W....3 0x0010: c0a8 1ebf cd3d 1e61 006e b62c ffff ffff .....=.a.n.,.... 0x0020: ffff bcee 7b22 01cf bcee 7b22 01cf bcee ....{"....{".... 0x0030: 7b22 01cf bcee 7b22 01cf bcee 7b22 01cf {"....{"....{".. 0x0040: bcee 7b22 01cf bcee 7b22 01cf bcee 7b22 ..{"....{"....{" 0x0050: 01cf bcee 7b22 01cf bcee 7b22 01cf bcee ....{"....{".... 0x0060: 7b22 01cf bcee 7b22 01cf bcee 7b22 01cf {"....{"....{".. 0x0070: bcee 7b22 01cf bcee 7b22 01cf bcee 7b22 ..{"....{"....{" 0x0080: 01cf .. 
 Date=2018-11-27 Time=10:42:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=CLIENTS out_dev= inzone_id=10 outzone_id=4 source_mac=00:23:5e:e5:ce:c2 dest_mac=7c:5a:1c:4c:a7:c8 l3_protocol=IP source_ip=192.168.31.51 dest_ip=192.168.30.191 l4_protocol=UDP source_port=52541 dest_port=7777 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=134096096 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

LuCar Toni · Accepted Answer

Basically we cannot forward Broadcast packets. It some kind of basic network feature to protect Broadcast flood. 
 https://networkengineering.stackexchange.com/questions/5521/how-can-routers-forward-broadcast-traffic 
 Most of the time, vendors build some kind of workaround to perform this, because some vendors for WoL or DHCP etc. uses this technique . But we did not build anything to forward this. 
 There are couple of feature request. https://ideas.sophos.com/forums/330219-xg-firewall?query=wake%20up%20on%20lan 
 
 I worked with WoL vendors, who can use both. Simple Broadcast, which only works in the same subnet or "specific" hosts. So they basically build a mechanism to send a single packet to each host instead of one to the broadcast address. Just to prevent this. Feel free to ask your WoL Vendor. They should face such issues "all the time", with firewalls.