Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 1676 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow established connections across LANs for IoT devices

Ryan Elders1

Hello,

I am using XG Home 17 and cannot seem to find the answer. I have a LAN with my main network on it and a VLAN with my IoT devices on it. I am coming from Unifi USG which had Allow, Block, and, Establish rules in the firewall. My IoT VLAN would not be able to ping or connect to my LAN network with 1 rule dropping all incoming connections. I had another rule to allow Established connections from my LAN to IoT VLAN. (i.e. Casting to my TV from my tablet or computer.)

 

All I can find in the XG is Allow, Drop, and Reject in rules. Does Sophos offer a feature like this?



This thread was automatically locked due to age.
  • 0

    Hi,

    please post your rules because your request is not clear.

    Rules need to be from a source to a destination with services.

    Ian

  • 0 in reply to rfcat_vk
    rfcat_vk said:

    Hi,

    please post your rules because your request is not clear.

    Rules need to be from a source to a destination with services.

    Ian

    That is kind of my problem. I don’t know how to set the rule up. I do not want VLAN IoT talking/connecting to LAN. However, if LAN starts the connection (casting to my chrome cast which is on VLAN IoT from my tablet which is on LAN) then I want the connection to go through. In Ubiquiti UniFi it is called “established” connection.
  • +1 in reply to Ryan Elders1

    First, Since your a Home User, I recommend you to update to v18.

     

    You can do the same thing with a "Accept" rule on Sophos XG.

    Here's an example:

    (Ignore the "Match Known Users")

    In this example any user inside the "Wired LAN" and "WiFi LAN" will be able to establish a connection over any service to the IoT LAN.

    And since there's no rule for the "IoT LAN" to directly "accept" traffic to the "Wired or WiFi" LAN", that traffic will be block by the default drop rule.

     

    This means anyone inside the "IoT LAN" won't be able to directly establish a connection to the both Wired and WiFi LAN's (Such as Ping.), At the same time, anyone on the Wired or WiFi LAN will be able to establish a connection to anyone at "IoT LAN", and the IoT LAN device will be able to respond back.

     

    Thanks!

  • 0 in reply to Prism

    I don't think his chromcast will work over the VLAN to LAN rules from previous discussions on the subject.

    Ian

  • 0 in reply to Prism
    Prism said:

    In this example any user inside the "Wired LAN" and "WiFi LAN" will be able to establish a connection over any service to the IoT LAN.

    And since there's no rule for the "IoT LAN" to directly "accept" traffic to the "Wired or WiFi" LAN", that traffic will be block by the default drop rule.

     

    This means anyone inside the "IoT LAN" won't be able to directly establish a connection to the both Wired and WiFi LAN's (Such as Ping.), At the same time, anyone on the Wired or WiFi LAN will be able to establish a connection to anyone at "IoT LAN", and the IoT LAN device will be able to respond back.

     

    Thanks!

    Thank you! I never thought of it like that! I will try this when I get home. I will update also tonight, I just got the core of everything setup today and this is more or less my lab. I am switching to this at home to get more familiar with it as we are using XG firewalls at my work and have 9 locations using them. I’d rather break my home network than work trying to learn it. I will mark this as answered if this works. Thanks again!
  • 0 in reply to rfcat_vk

    Hi Ian!

    Can you talk more about the chromecast issue? (I've didn't even read about the chromecast in this post, sorry.)

    Did you enabled multicast forwarding and created the necessary route for the chromecast?

     

    I've had this working before, I'll get my old chromecast tomorrow to test it again, just to be sure.

     

    Thanks!

  • 0 in reply to Prism

    Hi Prism,

    sorry not chromcast, but casting from his laptop/PC to his TV on the on the IoT network.

    Ian

  • 0 in reply to Prism

    I haven't had a chance to test this out yet as now I am experiencing a different issue. I have a Windows Server 2012 running DHCP and I cannot seem to get DHCP to handle the IoT VLAN even though I had it working on a test VLAN the other day. I gave up as it was late last night so I will get back to it after work tonight. I am determined to get the core working so I can fiddle with settings and I will let you all know how it turns out.