Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Subnets in LAN Zone

Fernando Fikfak

Hello.

Our network topology is like this:

VLAN 172.16.100.0/24 ------------ Layer 3 switch ------- VLAN 172.16.10.0/24 -------- Sophos LAN Port1 172.16.10.1

Everything work fine in VLAN 172.16.10.0/24 everybody can connect to web proxy TCP/3128, but the VLANS behind Layer 3 Switch can't connect, when I test the policy I get a DENIED ACCCESS, but any PC conected to VLAN 172.16.100.0/24 can PING Sophos 172.16.10.1

I can't find where to add VLAN 172.16.100.0/24 as part of LAN ZONE.

Thanks in advance!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    Follow the instruction on the following KBA, and you would need to create a LAN to LAN firewall rule to allow communication between VLANs. 

    Thanks,

  • 0

    The zoning is applied on the incoming interface, if there's a route to the 172.16.100.0/24 subnet via Port1 on the XG then that's good enough (if it's set to LAN). A policy test should give an indication of why the traffic is blocked, or if you look in the web filter/firewall log at live traffic there should also be an indication of why they can't connect.

    Regards

  • 0

    We used to run something similar with two subnets on different VLANs behind the switch.

    The fact you can ping 172.16.10.1 from the 172.16.100.0/24 subnet (it's a subnet not a VLAN, they may well be on different VLANS but you are talking about a subnet Slight smile) indicates that the routing has been setup correctly. I would suspect there is something wrong with your firewall rules. As carbon15 has said, if the traffic is coming in on Port1 then it will be identified as being in the LAN zone whatever subnet it is in.