Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add a subnet to lan zone

Nicolas HORCHOWER

Hello,

I have a wifi AP hosting some networks, I would like to make them going un-natted to my XG firewall.

I wasn't able to find how to add subnets to zone LAN.

Static route is set, ping are fine. But when I try to route outgoing packets to WAN, there is a redirect to authentication page but the page never appears.

So I guess the firewall is not able to identify those subnets, and doesn't allows authentication.

What is the best way to solve this ?

Thanks for your help



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi

    Thanks for reaching out, and welcome to the Sophos Community! 

    What is the firmware version on your firewall? Did you configure match known users and use web authentication for unknown users on LAN to WAN firewall rule? 

    Can you share the screenshot of that redirected authentication link? 

    Thanks,

  • 0 in reply to FormerMember

    Hello,

    I've continued to investigate. It looks like the XG doesn't like something in the incomming packets from my second subnet.

    if I unselect Match Users, traffic is fine.

    I've done some tcpdump and saw that:

    • I can ping the firrewall, 
    • I can ssh to the firewall
    • I can request DNS things to the firewall

    but I can't open the firewall https user portal page, nor the admin portal page.

    20:27:16.234754 Port1, IN: IP 10.0.0.229.53849 > 192.168.0.253.80: Flags [S], seq 3234587962, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:27:16.234812 Port1, OUT: IP 192.168.0.253.80 > 10.0.0.229.53849: Flags [R.], seq 0, ack 1, win 0, length 0

    I always receive an RST/ACK when my test machine sends a SYN

    but SSH is ok.

    Any idea to debug this ? I'm not able to find what is sending this reset-acknowledge packet

    Thanks for your help

Reply
  • 0 in reply to FormerMember

    Hello,

    I've continued to investigate. It looks like the XG doesn't like something in the incomming packets from my second subnet.

    if I unselect Match Users, traffic is fine.

    I've done some tcpdump and saw that:

    • I can ping the firrewall, 
    • I can ssh to the firewall
    • I can request DNS things to the firewall

    but I can't open the firewall https user portal page, nor the admin portal page.

    20:27:16.234754 Port1, IN: IP 10.0.0.229.53849 > 192.168.0.253.80: Flags [S], seq 3234587962, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    20:27:16.234812 Port1, OUT: IP 192.168.0.253.80 > 10.0.0.229.53849: Flags [R.], seq 0, ack 1, win 0, length 0

    I always receive an RST/ACK when my test machine sends a SYN

    but SSH is ok.

    Any idea to debug this ? I'm not able to find what is sending this reset-acknowledge packet

    Thanks for your help

Children
No Data