This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG fails to route LAN traffic to VPN

I have my SSLVPN set up, and users can connect remotely, accessing all allowed LAN resources. They can ping internal devices from the VPN as well. The problem is outbound routing. From the LAN, when I try to ping a machine connected to the VPN, it doesn't work. Ping is allowed for the VPN zone in System > Administration > Device Access. Logs show that the connection is allowed by firewall rules, however, the firewall rule referenced by the log is talking about LAN to WAN, not LAN to VPN. I have created a LAN to VPN rule, but it is not being recognized, even though it is much higher in the list than the LAN to WAN rule. I tried creating a policy route to force LAN traffic to the VPN gateway, but that doesn't seem to have any effect.

What am I missing? How do I get pings to go from LAN to VPN, instead of trying to go out to the internet?

This thread was automatically locked due to age.

0 AndreasBeutel over 5 years ago

Maybe the solution in this thread helps while resolving your issue: https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/119349/controlling-remote-ssl-clients
Cancel
Vote Up 0 Vote Down

Cancel
0 Marshall Ringler1 over 5 years ago in reply to AndreasBeutel

I really wish that would help... Unfortunately, I already have the VPN subnet defined as a host, and that host is part of the access list for the VPN connection. In fact, the SSLVPN Tunnel is also checked in the Device Access list under the LAN zone as well. In my firewall rules, I have 3 separate rules for access - one incoming, and one outgoing, and one for Internet (this is a full tunnel).

The Incoming rule shows:

VPN:Any > LAN:Any, Match users.

Outgoing rule shows:

LAN:Any > VPN:Any (no matching of users)

I also have a VPN-to-Internet rule after that:

VPN:Any > WAN:Any, NAT & Routing:MASQ
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Marshall Ringler1

Hi,

you haven't said what version of XG you are using? If V18 please investigate using SD-WAN.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Marshall Ringler1 over 5 years ago in reply to rfcat_vk

Ian - I'm on 17.5.12.664. Until your post, I didn't know there was anything newer! My devices don't show it. I found a link to download V18 directly, so I will find a time outside of production hours to try and apply it. I never thought of using SD-WAN for remote client connections either. I'll do some research. Thanks!
Cancel
Vote Up 0 Vote Down

Cancel