Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 1882 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge Mode does not work, help!

Diego Beton

Hello to all friends!
I installed the Sophos XG Firewall Home Edition on a desktop computer with 2 gigabyte network cards. I installed Sophos OS natively on the computer. I am not using virtual machines.

I did the initial setup (Wizzard) without paying attention. I just clicked '' forward ''. I don't remember if I set the XG Firewall to the Router function or the Bridge function.

The system is already active and licensed, but I am unable to set it to Bridge mode. Apparently, the option of configuring it in Bridge occurs only in the initial settings (Wizzard) at the first access to the address (172.16.16.16:4444).

Is there any way to configure it in bridge mode after installing it? Or do I have to format and re-install the system on my computer?

In WIKI of Sophos, I found a link on how to implement in bridge mode, but the tutorial explains only from the first access: support.sophos.com/.../KB-000035596

I tried to perform several actions by creating Bridge interfaces in the network settings, releasing DHCP on the firewall, but without success. All the actions I did were guided by videos on youtube made by other users.

My need here is basically the following:
I have a Mikrotik as an ISP on my network. I want to place the Sophos XG Firewall as a bridge, I do not want it to be the DHCP server, as I have IP rules saved in my mikrotik and other routings already made.

Grateful to everyone's help!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    you build bridges in the network tab.

    But, I recommend you install another interface so you can access the XG easily.

    Ian

  • 0 in reply to rfcat_vk

    are 3 physical network interfaces required?
    Here I have only 2. I thought they were enough, one for LAN and one for WAN.

    I tried bridging actions, but to no avail. I am carrying out the process through trial and error. I don't believe this is the best way. I feel that if it works, it will probably be working the wrong way.

    I am not finding any concise material on the web that explains the configuration procedure for the Firewall to operate in Bridge mode.

    The Sophos material demonstrates the process of creating bridge mode only during the first load. As I skipped this step, I am not able to put it in bridge mode by bridging the interfaces.

    I will keep looking for some material that contains these instructions, otherwise I will try to reinstall it again.

    Grateful for your help.

  • +1 in reply to Diego Beton

    Hi,

    you create a bridge in the networks tab, but you will need to delete the existing connections, that is why I suggested you add a 3rd NIC so you can continue accessing the XG while changing the configuration.

    Ian

  • 0 in reply to rfcat_vk

    I'm doing the configuration of it initially as follows:

    - I connect a network cable to the LAN network of the Firewall and to the LAN network of my notebook. I set the fixed IP on my notebook corresponding to the Firewall range. Then I can access it. By default it comes with the 172.16.16.16 range. Then I change the static IP of the LAN to 192.168.0.225. I still access the firewall through this new ip 192.168.0.225:4444

    then I go to the interfaces tab and define a static ip on the WAN port 192.168.0.226.

    After that I go to the HOSTS AND SERVICES tab, I create a host called DHCP SERVER, and I enter the ip of my gateway (MikroTik) 192.168.0.254 in '' ip address ''

    Then, I create 2 rules in the Firewall tab to allow the acquisition of DHCP addresses. Following this man's instructions on youtube:
    www.youtube.com/watch


    Then, I add a network cable with internet to the firewall's WAN port, but I don't browse the notebook that is receiving the cable from the firewall's LAN port. Even after removing the fixed ip that allowed me to connect to the Firewall, the notebook. does not receive DHCP and also does not browse with the static ip set.


    I saw in the Sophos tutorial on how to put the firewall on the bridge, at the beginning there is an option to configure the LAN port to not do DHCP, this is my need, I need the firewall not to do DHCP, I want to continue keeping my MikroTik as responsible distribution of DHCP. I have 10 servers in my network, all of them already have fixed ips and several open port rules in MikroTik, so I need the Firewall in Bridge.

    I'm sure it must be something simple to do, but it's burning my head hahaha.

    Thanks for listening!

  • 0 in reply to Diego Beton

    Hi,

    this does not sound like a home user, more like a small business user?

    To create a bridge you ned to delete your exiting network configurations and then create a bridge and add the two networks. you can delete the DHCP server is the XG if you don't need it.

    Ian

  • 0 in reply to rfcat_vk

    Got it!
    I went up to the Sophos system again and from the initial configuration wizard I was able to put it in bridge mode following the guidelines of the Sophos Wiki. It is working perfectly in Bridge mode on my network.

    It is a domestic use, there are 10 servers that support my residence, being 1 central media server, 1 mikrotik routing server, 1 backup NAS server, 1 personal proxmox server where I have 6 other active virtual servers that I use for my work.

    Now that everything is working correctly I need to learn how to free external access to RDP. Before putting the Sophos Firewall on the bridge, my Mikrotik was solely responsible for releasing the RDP ports of each server of mine. Now I am unable to communicate externally with my servers, only locally.

    Each server of mine has a fixed iP and a distinct RDP port, example:

    Server 01:
    ip: 192.168.0.150
    RDP port: 3389

    Server 02:
    ip: 192.168.0.151
    RDP port: 3390

    and so on....
    in my mikrotik I just create TCP and UDP rules with the release of the port for the local fixed IP. I also have a DDNS account added to my mikrotik. This allows me to communicate with my servers in 2 ways, through my Public IP and through my DDNS, example:

    Server 01:
    Public IP (example): 189.38.32.1:3389
    or: myddns.net:3389

    Server 02:
    Public IP (example): 189.38.32.1:3390
    or: myddns.net:3390

    before adding the Sophos firewall, external access was functional. Now with the addition of the Sophos firewall I can't do it anymore.

    Grateful for help and suggestions!

  • 0 in reply to Diego Beton

    Hi,

    you will need to create firewall rule to allow RDP incoming. RDP is not recommended as a remote access method because of vulnerabilities.

    Ian

  • 0 in reply to rfcat_vk

    I use RDP due to the facilities it brings, such as:

    - use of remote printers
    - copy and paste for the access host
    - remote access via microsoft RDP app on my smartphone
    - allows me to access multiple users of a single system simultaneously and individually.

    I accept alternative suggestions to RDP that allow me to perform the same actions.

    As a protection I use the Kaspersky suite on each server. The idea of configuring the Sophos XG Firewall is precisely to increase my protection. The goal with Sophos is to allow me to collect more detailed reports on my internal network traffic and to be able to rely on the web protection and firewall features.

    For now, I still need to continue using the accesses via RDP. I will continue to seek more information on how to release the RDP in Firewall XG. In case you get some information I will be grateful to receive it.

    Thanks for everything.

  • 0 in reply to Diego Beton

    Hi,

    I see you have pasted the same information a second time. The XG will not improve your RDP protection, the issue is limitation within RDP.

    Maybe you need to setup a VPN into your XG so you can use RDP over it. I am not sure you can use WAF in a bridge.

    Ian

Reply
  • 0 in reply to Diego Beton

    Hi,

    I see you have pasted the same information a second time. The XG will not improve your RDP protection, the issue is limitation within RDP.

    Maybe you need to setup a VPN into your XG so you can use RDP over it. I am not sure you can use WAF in a bridge.

    Ian

Children
  • 0 in reply to rfcat_vk

    Yes. The forum topic that talks about my current need was 4 years ago.

    As seen in the link:
    community.sophos.com/.../rdp-from-external-network

    I carefully repeated the suggestions given in the post that reports the similar problem. But without success. Unfortunately the author of the post did not continue, I was left with no understandable solution.

    In web searches, I found few if any reports about blocking external RDP and how to release them. However, through correct routing suggestions at the firewall I believe it is possible, but I can't do it alone.

    The VPN solution would require Sophos XG Firewall to become my Router. Regarding the router I still prefer to keep my Mikrotik. If I am unable to release the XG firewall to allow the external RDP connection, maybe I will make VPNs through my mikrotik.

    I will continue testing ways to be able to release my RDP ports on the firewall.

    Thank you for your help.