Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2053 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN tagging in v18

jang430

I've migrated to V18 of Sophos XG.  I didn't follow the instructions and went ahead and deleted the NAT rules that were migrated, thinking they won't be needed.  

Currently, there is a NAT rule, when disabled, my clients on VLAN cannot access internet.

The rule says:

Original Source- Any Original Destination- Any Original Service- Any

Translated source (SNAT)- MASQ Translated destination- Original Translated service- Original

Interface matching criteria. Inbound Interface- Any Outbound Interface- Any

 

When above rule is turned off, nothing goes through to the internet.  

 

Secondly, I had to change in Firewall Rule for the VLAN from:

Source Zone: LAN

Source Network: VLAN3 (IP Host/ IP Range/ 192.168.30.100-150) and change to #Port1.30 (Zone LAN/ Static IP Assignment/ IPV4: 192.168.30.1   /24(255.255.255.0)

 

Though this allows me to access the internet, it's following the web filtering rule set for my default VLAN1 users, also on Port1.  It doesn't get it's unique Web filtering rules, though there's a firewall rule created for this.



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    you can if you so desire delete all the linked NAT rules and replace them with a generic NAT sillier to mine.

    Ian

  • 0 in reply to rfcat_vk

    So at the very least, this NAT rule should be present and active, correct?  Sorry, I did a migration.  So saw a lot of migrated rules that I didn't understand.  Wanted to clean it.  The more streamlined, the better.

     

    So what do I put in Outbound Interface?  yours says Bigpond WAN.  I leave it as Any?

  • +1 in reply to jang430

    Basically what V18 does is: 

    Creating a Default SNAT on bot for all WAN Interfaces. For simple concepts, you only need this rule and could basically delete all other linked NAT Rules. 

    It simply matches all traffic, which tries to communicate to the WAN and MASQ the traffic, as it should be. 

    If you have DNAT or something else, you need to revisit this. 

Reply
  • +1 in reply to jang430

    Basically what V18 does is: 

    Creating a Default SNAT on bot for all WAN Interfaces. For simple concepts, you only need this rule and could basically delete all other linked NAT Rules. 

    It simply matches all traffic, which tries to communicate to the WAN and MASQ the traffic, as it should be. 

    If you have DNAT or something else, you need to revisit this. 

Children
  • 0 in reply to LuCar Toni

    OK, Thanks. Any clarification on why my Vlan not responding to rules (WEB) set for them?  What's wrong with my config?

     

     

    UPDATE:  Reverting the Source networks and devices to the original IP Host instead of #port1 fixed this issue.  Thanks to you both!