Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 34 replies
  • Subscribers 31 subscribers
  • Views 14230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG blocks everything in "bridged" mode

Jeroen Jacobs

Hi,

 

I managed to install XG in "bridged" mode, but the firewall blocks all traffic between subnets.

 

My setup:

Native LAN: 192.168.10.0/24

HOME LAN (VLAN 101): 192.168.30.0/24

GUEST LAN (VLAN 105): 192.168.50.0/24

 

I have a bridged interface between port1(LAN) and port4 (LAN), and it's set up with ip 192.168.10.252

I'm able to manage the device from a web browser (if the client pc is in the Native LAN), but it's blocking all traffic between subnets:

 

Log comp: Invalid traffic

Action: Denied

Firewall rule: 0

Message: Could not associate packet to any connection

 

I don't have a firewall 0 when I go to the firewall section in the web interface. I have rule 1 which explicity allows ANY to ANY on any service or port.

 

 

The whole bridged mode is very undocumented IMHO. I've read the article here: https://community.sophos.com/kb/en-us/122973, but it doesn't address the problem I'm experiencing.

Port1 is connected to my main router (which passes both tagged and untagged traffic), Port4 is connected to my managed switch (the port it's connected to also passes all tagged and untagged traffic). I'm on the latest GA firmware.

 

Something else that bothers is me that I can't access the web interface from the Home VLAN, because a gateway cannot be defined when the bridge only consists of LAN ports. I can add a gateway if I add Port2 (WAN) to the bridge, but I'm not sure that's something I'm supposed to do. But this is not an urgent issue, I just want the traffic flow working for now.

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Sam Thompson

    Sigh, nothing makes sense anymore. It seems to work for a few minutes, and then traffic gets denied again.

     

     

     

    What bothers me the most, is that documentation on the bridge mode is mostly non-existent. There is no clear info on how ports in the bridge should be configured. Doest it matter if I select ports that are assigned to WAN or LAN zone? Should "Enable routing on this bridge pair" be enabled or not? How should be the firewall be constructed in bridge mode ((I disabled SNAT in the firewall rules, because SNAT happens on my main router), is that enough?

     

    I' awaiting the arrival of my EnterpriseGuard license, and Sophos can be sure I will continue bugging their support division until this is working. If you advertise a function, it should work.

  • 0 in reply to Jeroen Jacobs

    This is the current situation, as of today:

     

    LAN port of my Ubiquiti EdgeRouter goes to Port2 on the XG

    Trunk/Uplink port of my switch goes to Port1 on the XG

     

    Port2 is WAN zone by default, Port1 is LAN zone by default.

    br0 consists of Port1 and Port2

     

    "Enable routing on this bridge pair" is disabled.

     

    IPv4 config of br0: ip=192.168.10.252 mask=255.255.255.0 gateway=192.168.10.1

     

    I want to know if this is a correct configuration for bridged/transparant mode or not. 

  • 0 in reply to Jeroen Jacobs

    It looks like your XG configuration is correct. I've tested it here and can see the XG passing the VLAN traffic to the router.

    If you have support then it is best to open a support case so we can connect up and take a look for you. 

    If you don't yet have support, can you run a packet capture while running a ping test between the two subnets? See the below KB.

    community.sophos.com/.../123189

  • 0 in reply to Sam Thompson

    I have some more information to share:

     

    - ""Enable routing on this bridge pair" must be enabled. If I disable it, everything works, but after a few minutes I see the cpu level rising on the XG and everything comes to a halt. I assume I'm causing some kind of packet storm if I leave it disabled.

     

    - I also notice that traffic from my home network, but the replies are getting blocked.

     

    Here is an example:

     

     

    But the traffic that is coming back seems to be blocked:

     

     

    Nevertheless, I see some connections in the diagnostics of the XG:

     

     

    I'm confused.

     

    Sam, if you got this working, would it possible to share your firewall rules? Or maybe just one rule that allows all traffic to pass?

  • 0 in reply to Jeroen Jacobs

    The rule I used was an any to any rule. 

    I think the next step is to contact support (either Sophos or your partner) so we can take a closer look at the tests you're running and where it's failing. 

    The invalid traffic can be a bit misleading sometimes. I'm wondering if your router is forwarding the traffic correctly. 

  • 0 in reply to Sam Thompson

    Well, if I take XG out, and connect the switch to the router correctly, both internet- and inter-vlan routing are working fine. So, I guess routing itself is working fine.

  • 0 in reply to Jeroen Jacobs

    OK that's good to hear. 

    If you contact support so they can take a look I'm sure we can get this resolved for you.

  • 0 in reply to Sam Thompson

    Thanks, I received my license, and created a support case for it.

  • 0 in reply to Jeroen Jacobs

    Great!

    If you private message me the case number I will add some notes for the engineer. 

  • 0 in reply to Sam Thompson

    Sam,

     

    Would it be possible to post screenshots of the firewall rule you are using? I want to be sure that my firewall rule is correct.

     

    Do you have anything configured in NAT&Routing section of the firewall rule?