Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 748 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect back to my network from XG125 on Comcast

Bill_H

I set up my new XG125 behind a Comcast Cable modem to manage a small development network (2 web servers, 2 dbms servers, 4 internal IP addresses, 3 PCs, and a bunch of TV and devices via a connected WAP).  Everything goes through a network switch to the LAN1 port on the XG.  We have a bunch of DNS settings with Network Solutions that send various sub-domains around to various networks, including this development network.

Everything seems to work fine accessing this development network (http/https, custom ports, etc) from the outside.  From inside the network, our PCs connect to ExpressVPN.  When we request a login page from our web server, using our defined DNS "">http://login.mydomain.com" the response is as expected (we get the login page).  However, when we quit ExpressVPN, which puts us back on the Comcast network (the same IP as the XG's WAN interface IP), then try to access our web resources from inside, we cannot access the above login page.  The browser times out with a DNS error.  Making any other http/https request to our network fails too.  Turn ExpressVPN back on and all is well again.

What have I failed to configure?  Thanks,



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community.

    The web server and internal PCs are on the same network and zone? Have you configured DNAT or WAF rules for these servers? 

    I would suggest you run a packet capture on the firewall and see if the client's traffic to the server is allowed or blocked by the firewall. 

    Thanks,

  • 0 in reply to FormerMember

    I looked on the internet and found this document...

         https://support.sophos.com/support/s/article/KB-000038769?language=en_US

    I tried both solutions but seem to be missing something because neither worked.  So frustrating.  Sigh...

  • 0 in reply to Bill_H

    So, it looked like there were two different possible solutions; 1) create a firewall rule from the internal network to the WAN port or 2) add the LAN to the DNAT rules (source zone) accessing each server.

    I choose the first option because it was the one the Sophos technician created that actually worked after the firewall crashed.  It did so when our Comcast service temporarily went down and detached the Comcast cable modem from the Comcast network for several hours until I rebooted the modem.  In order to get the Sophos working again I had to restore the backup I took after we accomplished #1 above.  The settings after we did #2 above didn't work after the modem reboot.

    The rule was basically called "Internal LAN Loopback" where the Source was "Any (zone) / 192.168.1.0 (network) / All the time (during)" and the Destination was "LAN (zone) / #Port2 (network) / Any (services)".  This became the top rule.

    I have no idea why such a simple solution wasn't noted in any of the help, or at least it wasn't easily found by the likes of me.

Reply
  • 0 in reply to Bill_H

    So, it looked like there were two different possible solutions; 1) create a firewall rule from the internal network to the WAN port or 2) add the LAN to the DNAT rules (source zone) accessing each server.

    I choose the first option because it was the one the Sophos technician created that actually worked after the firewall crashed.  It did so when our Comcast service temporarily went down and detached the Comcast cable modem from the Comcast network for several hours until I rebooted the modem.  In order to get the Sophos working again I had to restore the backup I took after we accomplished #1 above.  The settings after we did #2 above didn't work after the modem reboot.

    The rule was basically called "Internal LAN Loopback" where the Source was "Any (zone) / 192.168.1.0 (network) / All the time (during)" and the Destination was "LAN (zone) / #Port2 (network) / Any (services)".  This became the top rule.

    I have no idea why such a simple solution wasn't noted in any of the help, or at least it wasn't easily found by the likes of me.

Children
No Data