XG blocks everything in "bridged" mode

Hello,

If you are using VLAN tagged traffic you need to add VLAN interfaces to the firewall otherwise the tagged traffic will be dropped. See the below KB

https://community.sophos.com/kb/en-us/123127

Let me know if this helps.

I cannot add a VLAN interface to a bridge.

Well waddayaknow... disabling "Enable routing on this bridge pair" seems to solve the issue :-D

Ok, not solved completely..sigh...

In the logs, I see traffic on port1 permitted, and everything on port4 blocked.

This seems weird, for a bridge...

Thanks for the update Jeroen. I was just about to run some tests for you.

Can you share a screenshot of the logs you are seeing? 

Out of time for today, will post them tomorrow.

No problem.

Just to clarify the above, the XG will forward VLAN traffic however it will not perform inter-VLAN routing. The upstream router will need to do this. 

Sigh, nothing makes sense anymore. It seems to work for a few minutes, and then traffic gets denied again.

What bothers me the most, is that documentation on the bridge mode is mostly non-existent. There is no clear info on how ports in the bridge should be configured. Doest it matter if I select ports that are assigned to WAN or LAN zone? Should "Enable routing on this bridge pair" be enabled or not? How should be the firewall be constructed in bridge mode ((I disabled SNAT in the firewall rules, because SNAT happens on my main router), is that enough?

I' awaiting the arrival of my EnterpriseGuard license, and Sophos can be sure I will continue bugging their support division until this is working. If you advertise a function, it should work.

This is the current situation, as of today:

LAN port of my Ubiquiti EdgeRouter goes to Port2 on the XG

Trunk/Uplink port of my switch goes to Port1 on the XG

Port2 is WAN zone by default, Port1 is LAN zone by default.

br0 consists of Port1 and Port2

"Enable routing on this bridge pair" is disabled.

IPv4 config of br0: ip=192.168.10.252 mask=255.255.255.0 gateway=192.168.10.1

I want to know if this is a correct configuration for bridged/transparant mode or not. 

It looks like your XG configuration is correct. I've tested it here and can see the XG passing the VLAN traffic to the router.

If you have support then it is best to open a support case so we can connect up and take a look for you. 

If you don't yet have support, can you run a packet capture while running a ping test between the two subnets? See the below KB.

community.sophos.com/.../123189

I have some more information to share:

- ""Enable routing on this bridge pair" must be enabled. If I disable it, everything works, but after a few minutes I see the cpu level rising on the XG and everything comes to a halt. I assume I'm causing some kind of packet storm if I leave it disabled.

- I also notice that traffic from my home network, but the replies are getting blocked.

Here is an example:

But the traffic that is coming back seems to be blocked:

Nevertheless, I see some connections in the diagnostics of the XG:

I'm confused.

Sam, if you got this working, would it possible to share your firewall rules? Or maybe just one rule that allows all traffic to pass?

The rule I used was an any to any rule. 

I think the next step is to contact support (either Sophos or your partner) so we can take a closer look at the tests you're running and where it's failing. 

The invalid traffic can be a bit misleading sometimes. I'm wondering if your router is forwarding the traffic correctly. 

The rule I used was an any to any rule. 

I think the next step is to contact support (either Sophos or your partner) so we can take a closer look at the tests you're running and where it's failing. 

The invalid traffic can be a bit misleading sometimes. I'm wondering if your router is forwarding the traffic correctly. 

Well, if I take XG out, and connect the switch to the router correctly, both internet- and inter-vlan routing are working fine. So, I guess routing itself is working fine.

OK that's good to hear. 

If you contact support so they can take a look I'm sure we can get this resolved for you.

Thanks, I received my license, and created a support case for it.

Great!

If you private message me the case number I will add some notes for the engineer. 

Sam,

Would it be possible to post screenshots of the firewall rule you are using? I want to be sure that my firewall rule is correct.

Do you have anything configured in NAT&Routing section of the firewall rule?

I have attached a screenshot of the firewall rule I was using to test. No NAT/masquerading was used. 

I can see an engineer has been assigned to your case. Hopefully they can take a look for you. 

Seems identical to mine. There is no need to define an explit "WAN" to "LAN" rule?

Maybe one more question: I've reading some things that a cross-over cable is required between the WAN port and the router? Is this true?

XG is based on Cyberoam, and the Cyberoam documentation mentions this: https://community.sophos.com/kb/en-us/131062

Or is this no longer necessary on XG?

No need for the WAN to LAN rule if you have the any rule.

Yes it's best practice to use a crossover cable to connect same type devices (router to router/switch to switch).

Do you have one you can try?

Hi Jeroen,

It looks like you managed to resolve this issue by re-configuring the firewall is that right?

If the issue has been resolved could you mark this thread as answered?

Thanks. 

What resolved it? I had the same issue, spent seven hours before giving up.