Dear,
I'm evalutaing Sophos XG Home in Bridge mode. This is on a virtual appliance.
I have experience with Pfsense, Palo Alto, Fortinet and Untangle firewalls.
My home network has a pair of Cisco ISR G2 (3925E) routers in HSRP, each connected to a different ISP and in Active/standby.
There are different VLANs:
VLAN100: LAN
VLAN99: MGMT
VLAN40: SERVERS
VLAN30: IoT
VLAN20: VoIP
Each VLAN has it's own gateway, which is a VIP shared between both Cisco routers in their HSRP group:
VLAN100: 10.1.100.1
VLAN99: 10.1.99.1
VLAN40: 10.1.40.1
VLAN30: 10.1.30.1
VLAN20:10.1.20.1
the 10.1.xxx.1 is always the VIP, the 10.1.xxx.2 is always the primary, the 10.1.xxx.3 is always the secondary member of the cluster.
I have the Sophos XG connected to a switch, on a trunk port allowing all vlans currently.
the LAN and 'WAN' are bridged in br0 on the XG appliance.
The appliance always has the 10.1.xxx.5 for each of the vlans.
The issue I saw was that for some reason, the firewall thinks that the outgoing traffic is assymetric, and because of this marks it as invalid and drops it.
I have found a remedy by adding the following in the CLI:
set advanced-firewall bypass-stateful-firewall-config source_network 10.1.xxx.0 source_netmask 255.255.255.0 destination_network 0.0.0.0 destination_netmask 0.0.0.0
This fixed the traffic going trough the firewalll, but now I have lost my HTTPS GUI.
Whatever rules I try to add it doesn't matter, I can only access the FW GUI when I temporary drop the traffic by entering system appliance_access enable.
Anyone has an idea on how this setup can work?
It seems like Sophos works differently than what I'm used to.
Any help is appreciated.
Kr,
Soulaiman
This thread was automatically locked due to age.
