Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 3613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One VLAN on two physical interfaces

Delanius55

Hi,

So I have two physical interfaces and want to have the native VLAN and VLAN 10 on both of them. The first interface is connected to an wireless AP and the second is connected to a switch. The goal here is that wireless devices on VLAN 10 should be able to talk to wired devices connected to the switch on VLAN 10. VLAN 10 is for IOT-devices. 

To achieve this I created a bridge with the two physical interfaces as members. I then added VLAN 10 to that bridge. I also set up two DHCP-servers, one for each VLAN. 

Devices connected to either the VLAN 10 SSID or a VLAN 10 port in the switch are assigned the correct IP-addresses. I've setup a firewall rule that allows any host in IOT-zone to access the WAN-zone. 

The problem is that devices on VLAN 10 cant access the internet. Looking in the log, some packets are going thru but some are labelled "Could not associate packet to any connection." and are denied. Different packages with same source and destination IP are sometimes allowed and sometimes denied. The ones that are allowed have "in interface: bridge.10." The ones that are denied have "in interface: port2.". 

Devices not on VLAN 10 work just fine. 

I'm on version SFVH (SFOS 18.0.5 MR-5-Build586).

Big thanks for any advice. 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Delanius55, Thanks for reaching out to Sophos Community

    This is a bit tricky but I'll try to explain it as simply as I can.

    Referring to the packet capture you've attached, The packets which are showing denied (in red) are actually IN packets to the Interface Port2 which is just showing because the firewall is receiving the packet on that physical interface.

    An actual packet that is going to the WAN is showing IN from port 'Bridge.10' which the packet tagged by the downstream device with VLAN 10 and It's the actual packet that is going out to WAN from that Virtual Bridged VLAN interface to the WAN. 

    -> It shows invalid because, for network 192.168.1.0/24, the Firewall is expecting tagged packets by ID 10. The ones which are showing as "Invalid" in log viewer, are the IN packet entries for the Physical Interface Port2 and not the Virtual Bridged VLAN10 interface. Hence "Couldn't associate packet to any connection".

    Nothing to get confused about this just the way the firewall logs these packets.

    For example here, I have a bridge of Port2,3,4 (Name: Port2_3_4) and a VLAN 10 on that Bridge.



    Now I ping from IP 10.10.10.10 to 1.1.1.1 and here's the packet capture on CLI



    -> Coming back to your issue, It seems that the packet that goes out to WAN, Shows a NAT rule that matches with ID 2 but are not NATed with your WAN port's IP address. 

    Can you just check the NAT rule and see if the SNAT is selected as MASQ or just kept original. If it's selected as Original, Change it to MASQ.


    If this doesn't work then we can try something else depending upon your configuration

    Hope this help :) 

  • 0 in reply to FormerMember

    I'd like very much to hear about those other things that might fix this. 

Reply Children
  • FormerMember
    0 FormerMember in reply to Delanius55

    Please check drop packets and tcpdump through the CLI to verify whether these packets are forwarded properly or is there any drop on the device.

    Run a ping from the machine in that VLAN to any distinct public IP. ( like 1.1.1.1)

    Take SSH of the device, Goto Option 4 > Console , Run the command --> tcpdump 'host x.x.x.x (put the IP you're pinging)

    Open a new SSH session and run the command --> drop-packet-capture 'host x.x.x.x 

    Share the output


  • 0 in reply to FormerMember

    So I pinged 1.1.1.1 and got a response. Output:

    Then I opened a browser and entered google.com in the address bar. Site was unable to load. I got the IP from Sophos log viewer and using that I ran the same commands as with 1.1.1.1. 

  • FormerMember
    0 FormerMember in reply to Delanius55

    Can you try changing the MSS on the WAN port to 1400 or 1380?

    Its available in Interfaec > Port > Advacned Settings > Override MSS 

  • 0 in reply to FormerMember

    I tried them both and one machine, on Wifi and Win10, can now surf the web. But on a android phone I can surf to google.com and do searches but I can't access any of the sites in the search results. I can't reach them by entering their address in the address bar either. 

  • 0 in reply to Delanius55

    Wait a minute, now the phone is working. Maybe something just needed some time to adjust. Let me do some tests and then I'll get back to you. But this seems promising. 

  • FormerMember
    0 FormerMember in reply to Delanius55

    Alright, Great! Let me know how the testing goes :) 

  • 0 in reply to FormerMember

    It seems to be unstable. So the two devices I use for testing both had internet there for a while. But a few minutes ago that stopped working. The device I'm writing to you on is on the default VLAN and has no issues. 

  • 0 in reply to Delanius55

    I was hoping for some more advice on this. 

  • FormerMember
    0 FormerMember in reply to Delanius55

    Hi, This is just to confirm, Only IoT devices have the issue or any device that connects in VLAN 10 has internet issues?

    We need to narrow down the issue so keep the packet capture running and save it in a file.

    Once the issue starts occurring, Check if the firewall is able to forward those packets out of the WAN interface or not and share the output here as well.

  • 0 in reply to FormerMember

    XG has some difficulties with bridge traffic. What I can read here reminds me of a problem we currently have for months.

    The traffic is sent to the Bridge Interface instead of the VLAN interface which breakes your network communication.

    If you have support, ask them about NC-74120. Contact me, if you need my support case #.

    Here is a reply I received yesterday. The technical explanation is in the last chapter. Currently I only have this confirmation, no solutions. XG is dropping the packets because of IP Spoof on our side.

    xxx.xxx.40.5 and xxx.xxx.40.61 are in the same broadcast domain and reachable via the same bridge. Here, what happened is that when xxx.xxx.40.5 (client-1) seen that it needs to send traffic to xxx.xxx.40.61 (client-2), it will use the mac address of that IP and not use mac of gateway (XG).  It will have a packet like following

    Source IP : xxx.xxx.40.5 (Client-1) -> behind Port 8

    Source mac : Client-1 mac address

    Destination IP : xxx.xxx.40.61 (Client-2) -> behind VLAN.1000 interface

    Destination mac : Client-2 mac address

    So, when a packet with the above detail submitted to XG, as its destination mac is not XG, XG will not submit this packet to Layer - 3 (so it will not submit this packet to VLAN as it is L3 interface) and it will bridge the traffic. Now the issue occurs as it is bridge traffic, its incoming interface will be Port8 and not be VLAN.1000.   This packet will traverse the Netfilter stack with in-interface as Port8 and it will drop the traffic in spoofing because spoofing will find that the xxx.xxx.40.0 network is not part of Port8.

    Currently, this is the behavior.