Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1051 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add a subnet to lan zone

Nicolas HORCHOWER

Hello,

I have a wifi AP hosting some networks, I would like to make them going un-natted to my XG firewall.

I wasn't able to find how to add subnets to zone LAN.

Static route is set, ping are fine. But when I try to route outgoing packets to WAN, there is a redirect to authentication page but the page never appears.

So I guess the firewall is not able to identify those subnets, and doesn't allows authentication.

What is the best way to solve this ?

Thanks for your help



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi

    Thanks for reaching out, and welcome to the Sophos Community! 

    What is the firmware version on your firewall? Did you configure match known users and use web authentication for unknown users on LAN to WAN firewall rule? 

    Can you share the screenshot of that redirected authentication link? 

    Thanks,

  • 0 in reply to FormerMember

    Hello Harsh,

    Thanks for your reply.

    I'm using SFOS 18.0.4 MR-4

    Yes I've configured match known users + use web authentication for unknown users on Lan to Wan rule

    When I try to open a URL like yahoo.de, it is redirected to a URL starting with my firewall name:
    https://MY_FW:8091/ntlmauth.html?2yahoo.de/

    I wasn't able to find something on the log

    Best Regards

  • FormerMember
    0 FormerMember in reply to Nicolas HORCHOWER

    Hi ,

    Did you configure LAN to WAN rule with DNS service on top of the user identity-based rule? 

    Check out the following KBA for more info: 

    Thanks,

  • 0 in reply to FormerMember

    done, but it doesn't solve my issue.

    my DNS is internal. I also tried to replace the firewall FQDN with its IP : same result.

    I'm not able to reach the admin nor the user page on the FW.

    I can ping it,

    I'm not able to connect via ssh (with IP address or fqdn).

    I see in log web traffic catched, but no feedback about the portal.

    That's why I was trying to find a way to add my other subnets to the portal.

    BTW, local lan traffic is fine, and if I masquerade my traffic it is ok too (but I can't let traffic masqueraded).

    Any idea to get a better log of firewall local interface or service

    Thanks

  • 0 in reply to FormerMember

    Hello,

    I've continued to investigate. It looks like the XG doesn't like something in the incomming packets from my second subnet.

    if I unselect Match Users, traffic is fine.

    I've done some tcpdump and saw that:

    • I can ping the firrewall, 
    • I can ssh to the firewall
    • I can request DNS things to the firewall

    but I can't open the firewall https user portal page, nor the admin portal page.

    20:27:16.234754 Port1, IN: IP 10.0.0.229.53849 > 192.168.0.253.80: Flags [S], seq 3234587962, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:27:16.234812 Port1, OUT: IP 192.168.0.253.80 > 10.0.0.229.53849: Flags [R.], seq 0, ack 1, win 0, length 0

    I always receive an RST/ACK when my test machine sends a SYN

    but SSH is ok.

    Any idea to debug this ? I'm not able to find what is sending this reset-acknowledge packet

    Thanks for your help