sophos wan beghind pfsense lan

Hello Benjamin,

Thank you for contacting the Sophos Community!

Usually, if you use the Network option on the Windows computers, it will only find the computers in the same subnet. 

You might want to check first for connectivity between your 192.168.0.0/24 and the 192.168.8.0 network.

Regards,

hi

so computers on sophos lan 192.168.0.0/24 subnet, can reach everything on pfsense 192.168.8.0/24

but anything on 192.168.8.0/24 can NOT reach anything on 192.168.0.0/24 not even the GUI for sophos.

what do i need to do in sophos?

Hello Benjamin,

What is the IP of the WAN interface on the XG?

Can you do a tcpdump on the CLI to see if you see traffic from 192.168.8.0/24 arriving to the WAN interface of the XG?

Also make sure you have DNAT rules to allow the traffic coming from 192.168.8.0/24 to 192.168.0.0 if the interface connecting to the Pfsense on 192.168.9.0/24 is on the WAN zone.

Regards,

Hello Benjamin,

What is the IP of the WAN interface on the XG?

Can you do a tcpdump on the CLI to see if you see traffic from 192.168.8.0/24 arriving to the WAN interface of the XG?

Also make sure you have DNAT rules to allow the traffic coming from 192.168.8.0/24 to 192.168.0.0 if the interface connecting to the Pfsense on 192.168.9.0/24 is on the WAN zone.

Regards,

hi

im new to sophos and its confusing how to do things, ill answer your questions nad then if you can confirm i did it right

emmosophos said:

What is the IP of the WAN interface on the XG?

192.168.9.10

emmosophos said:

Can you do a tcpdump on the CLI to see if you see traffic from 192.168.8.0/24 arriving to the WAN interface of the XG?

how do i do that?  if i click diagnosis and then i type in route lookup 192.168.8.10 it gives me 192.168.8.10 is located on the Port4 (wan)
192.168.8.10 is reached through the router 192.168.9.1

emmosophos said:

Also make sure you have DNAT rules to allow the traffic coming from 192.168.8.0/24 to 192.168.0.0 if the interface connecting to the Pfsense on 192.168.9.0/24 is on the WAN zone.

i clicked rules and policies, then i clicked the down arrow near add firewall rule and selected server access assistant (DNAT), TYPE IP i put 192.168.9.10 for internal, after clicking next i put 192.168.8.0 for public ip

i selected any service and any source.

you can see this screenshot, how it looks. is it done correctly?  if not, what should i change?  as i still can NOT access the sophos firewall from my server on pfsense (but i cant in the reverse direction)

Hello Benjamin,

Thank you for the follow-up!

To do the tcpdump, please SSH in to the XG by following this KB, once you see the Menu options, please press (5>3)

You will end in the advanced shell #

Then run this command:

# tcpdump -eni Port4 host 192.168.8.10 port 4444

And then try to access from the IP 192.168.8.10 to the GUI of the XG, if you see packets arriving it is a good sign, if not something before the Sophos is blocking the packets.

IF you see packets arriving but the GUI is not loading please go to Administration >> Device Access >> Local Service ACL, make zone WAN HTTPs is enabled.

For the DNAT rule, please show me the actuad DNAT rule, what you configured is the Firewall rule, please take a look at this RR

Regards,

ok that fixed it, i did the TCPDUMP and yes packets were arriving.

then i made sure WAN HTTPS is enabled and yes now i can see it.

is there a way to limit WAN HTTPS to only be accessible from 192.168.8.0 or 9.0 subnet?

now that i have a connection between the 2, how can i see in windows 10 the computers on the network between both routers?

Hello Benjamin,

I am glad it is working now!

Yes there is a way please take a look at this KB

Scroll down to the part that says ""Local Service ACL Exception Rule""

Basically, you need to uncheck the HTTPs on WAN, and then create the ACL with the Networks/IPs you want to be able to access the GUI of the XG.

Regards,