VM setup for XG Firewall Home Edition

Hi there,

The first thing I notice is that both you WAN IP and LAN IP on on the same subnet.... it might just be for testing but the firewall needs to be configured as a router so you would have to have the LAN on another subnet at least  eg. 192.168.2.X or 3.X.

I assume you are going this as you are testing the firewall inside your existing network... this will work but know that you are creating a double NAT situation so some stuff is a lot harder to configure with double NAT. (eg...VOIP)

Secondly I notice that you have configured your NICS on Promox as e-1000 network cards....did you do that because the other didnt work?   the default should be virtio as these use way less resources and work well.

You are not alone being frustrated knowing which port is lan and which is wan...once you get access to the GUI you only get Port1 and Port2 as descriptions,   the easiest way to figure out what is what is to unplug one and configure the WAN first....you can use the console within proxmox and then use the menu options within Sophos to configure the WAN interface IP.

Hope this helps

Thank you for your response. I am learning more and more about networking as I go about this project.

TrevorSymonds said:

The first thing I notice is that both you WAN IP and LAN IP on on the same subnet.... it might just be for testing but the firewall needs to be configured as a router so you would have to have the LAN on another subnet at least  eg. 192.168.2.X or 3.X.

I have changed the static IP for the USB-NIC to 192.168.2.202. 

TrevorSymonds said:

I assume you are going this as you are testing the firewall inside your existing network... this will work but know that you are creating a double NAT situation so some stuff is a lot harder to configure with double NAT. (eg...VOIP)

No VOIP or other complicated network issues, this is a simple home network.

TrevorSymonds said:

Secondly I notice that you have configured your NICS on Promox as e-1000 network cards....did you do that because the other didnt work?   the default should be virtio as these use way less resources and work well.

I have changed the NICS to virtio, just a case of not knowing what the heck I am doing.

TrevorSymonds said:

You are not alone being frustrated knowing which port is lan and which is wan...once you get access to the GUI you only get Port1 and Port2 as descriptions,   the easiest way to figure out what is what is to unplug one and configure the WAN first....you can use the console within proxmox and then use the menu options within Sophos to configure the WAN interface IP.

That gets into how do I get to the Sophos GUI? I have plugged the firewall directly into my other laptop and tried to go to 192.16.16.16:4444 as instructed in the e-mail that came with my serial number. Do I also need to disable my wireless card on the connected PC so it only can see the Firewall? I have not tried that yet.

I forgot to tell you that you will need to give your laptop an ip in the same range as the lan interface of sophos....  The sophos default ip is actually 172.16.16.16 so you would need Togo to https://172.16.16.16  it will pop up with a certificate error so you can click continue..... Also you must also give your laptop an ip in the same range... Meaning set up ip with static ip like 172.16.16.1..... Only then will you see the gui

Also when you use the setup wizard within sophos it will ask to set up wan and then lan..... One configured... You will need to set laptop up again in the same range as the ip..... One thing that often happens is during setup I get Port 1 and port 2 mixed up..... Then just change cables

First I want to thank you for your time in trying to help me (I need all the help I can get)

I have been at this all day and I am no closer to getting into the GUI interface for the Sophos XG Firewall Home Edition.

I am going to call the laptop I am using for ProxMox and Sophos, PVE and the laptop I am using to configure PVE, ControlPC.

using the ControlPC I have configured eno1 on PVE as 172.16.16.16/24

I have also given the internal NIC on the ControlPC the IP address of 172.16.16.2

I have connected ControlPC and PVE with a network cable (RJ45).

When I try to go to https://172.16.16.16:4444 it comes back with This site can't be reached.

I have also tried configuring eno1 on PVE to 172.16.16.6/24 with the same results.

Here is what my network entries look like on PVE:

I do not know what else you might need to help me figure this out but if you want any commands run on any of the Virtual Machines, or physical ones let me know.

side note I can ping 172.16.16.16 from the ControlPC just fine but if I try to ping 172.16.16.2 from either ProxMox or Sophos CLI it does not work.

Hi,

I might be misunderstanding what you are saying because to access the XG CLI you need to have access to the GUI unless you are still installing XG and haven't completed the initial reboot after installation?

Ian

XG is fully installed and I can log onto it via the console on ProxMox VE interface.

After putting in the default password "admin" you get the following menu.

Then you can choose 5: Device Management and then 3: Advanced Shell.

This XG has been rebooted over 20 times while I try to get to the GUI.

Here is what happens when I try to connect to 172.16.16.16:4444

"Insanity is doing the same thing over and over, expecting different results" I am getting close to being insane (Just Kidding).

Hi Ray,

in the cli what does network tab show you?

I was not aware that Sophos had changed the install to include default userid/password until you accessed the GUI and created the password.

Ian

I there ...I see your error..... you have giving the internal interface on proxmox the IP address 172.16.16.16  you must leave the IP address blank....as all IP allocation is done within Sophos when it boots.....in proxmox you only define an IP in proxmox when you want to access proxmox....

What I means is you have given the proxmox SERVER the ip address 172.16.16.16 ...when sophos which is a VM on the SERVER boots it gives itsself the IP address of 172.16.16.16...but this conflicts as the IP address is already on the network..

On proxmox server you should only have the address for the server nothing else..... each VM deals with its own IPs

Here is a screenshot of my setup (network)

You will see that the two network cards dont have IPs

Thank you for the sample network configuration that helped alot to understand what is going on. 

I have made my network config on proxmox look the same.

This did not solve my problem I still can not get to the GUI on sophos VM. I tried using both vmbr0 and vmbr1 as the one with out the IP address, neither one worked.

I did go into the CLI on the sophos VM and got to the command line and did a "ip a | more" command. 

In there I saw that both port1 and port2 are in a down state and neither one has an ip address, see screen shot

When I startup the sophos VM I see the following:

I am wondering if the error message about failing to access perfctr msr is something I should worry about?

Should I try reinstalling the Sophos XG Firewall Home Edition or just forget the whole thing.

Once again I want to thank you for spending all this time on my issue.

Hi Ray,

what you are really saying is that the XG interfaces are not assigned to a Proxmox NIC.

Ian

Hi Ray,

what you are really saying is that the XG interfaces are not assigned to a Proxmox NIC.

Ian

quick update... I did a reinstall and now when I go to the command line and do an "ip a | more" port1 has the ip address 172.16.16.16.

Now I just need to figure out which nic is port1

It does not seem to be the internal NIC so I am going to switch everything and try again.

One last update before I go to bed.

I switched the IP to the internal NIC in the Proxmox network. after rebooting the PVE and starting up the sophos VM and switching the network cables it still did not work. So I logged on to the sophos VM and did a "ip a" and port1 did not have an IP address. I switched everything back and after rebooting PVE and starting the sophos VM, port1 still did not have an IP address. It seems that the only way to get an IP on port1 is to do a reinstall, at least that is the way it looks to me.

Good Night

The definition of insanity is doing the same thing over and over again expecting different results.

Can we have a screenshot of your sophos hardware tab?

Mine looks like this:

as you can see I have three virtual network cards, two are on the same network and the WAN network connects to my fibre line direclty.....  I had the same problem with you with port1 not being found... The way that I did it was to port them all on the same network first then I could work out which card port1 was binding to.

Here is my proxmox network settings again:

You can see that I have two network interfaces that are bridged  one called vmbr0 and one called vmbr1, when you look at the sophos network pic you see that net0 and net2 are bound to vmbr0, this is my LAN interface so port1 is connected to vmbr1.     When I installed sophos I could not ping 172.16.16.16 (computer was IP 172.16.16.2) so I set up persintant ping to 172.16.16.16  then I went onto the harware tab of sophos and clicked edit on the network device and changed the network bridge from vmbr1 to vmbr0...  i started seeing a response on the ping... then I new two things....one my LAN is on vmbr0  and after plugging the network cable in and out and watching the ping....I knew which cable was on the LAN .......  as there are only two cables and ports then I knew that the other cable was WAN and vmbr1 was also WAN.

Okay here is what my sophos hardware tab looks like after adding a third nic

and here is my PVE network setup

Also here is what my physical setup looks like, solid lines are wired and dashed line is wireless. I did not mark it but my router is at 192.168.1.1

The PVE laptop also has a wireless NIC but I have not been able to get it to work so I left it out.

I know that once I get it setup and configured that the PVE laptop will have the WAN plugged into my modem and the LAN will be plugged into my router where the modem plugs in now.

Ok thanks for that....I see another error/problem..... You have turned the firewall on...meaning you have a firewall in front of the firewall....so you will not every get to the GUI.

You need to click on your sophos vm....then goto option in firewall and make sure that it is set to "NO"

Here is mine:

Its hard enough to set up sophos you definelty dont want this on!!!

I will do that... that is what you get for working with someone who has no clue what they are doing.

Firewall was set to no, did not need to change it.

Give yourself some credit....you have done amazingly well to get proxmox up and running as it is not easy.   When you throw sophos into the mix, its rocket science

Ok...mmh so when you click on hardware on the Sophos VM and look at the NICS.....if definelty DOES NOT say Firewall=1?

On the hardware tab it does say firewall=1 for the NICs but in sophos firwall>options it says no