cant ping to Internet (https://community.sophos.com/sophos-xg-firewall/f/discussions/108533/xg---cant-ping-access-the-hosts-from-outside)

Hi Elmar, Thanks for reaching out to Sophos Community.

Are you not able to ping your public IP on Port 2 WAN? or Are you not able to ping any public IP outside from your LAN machines behind the firewall? 

The post you've tagged is about allowing access to ping the IPS's IP on WAN port.

Hello Devesh 

ok, ill explain in more detail:

i have a xgs126 and with the WAN PORT BEING port 2 and 

port 1 is configured to lan / physical 192.168.20.1

port 3 is configured to lan / physical 192.168.21.1

port 4 is configured to lan / physical 192.168.22.1

port 5 is configured to lan / physical 192.168.23.1

all pc that are connect to the subnets work ok, and every pc can ping to every other pc in every subnet (i created a simple firewall route to allow traffic between the subnets)

but i can only PING from one subnet (or pc, i do not know that, because i attached only one pc per subnet in my test environment) to

8.8.8.8 (or any other ip adress in the internet)

that pc is not fixed, it changes, but it's always only one pc taht coukd ping to external host on the internet

on every other pc will ping -the first ping will be okay, and the rest would only create  timeouts.

entries in the logfile are as follows:

This problem only concerns icmp. every other service is working fine on every subnet.

I have absolutely NO idea what the problem may be,

Hello there,

It looks like your 4 interfaces are overlapping which will cause issues with some type of traffic.

If you want Port 1, Port3, Port4 and Port 5 to be on the same network, you should bridge the interfaces, so all of them are in the same broadcast domain.

Regards,

no, that does not solve my problem.

i do not think that my networks are "overlapping" because i have a different subnet on every port (192.168.1.0;192.168.2.0,192.168.3.0)

as far as i understand it a bridge would be something that i would need if i would wanted to have on subnet on all bridge member ports.

this is NOT what i have.

my scenario is far more trivial

one port - one subnet.

But ping still does not work :-(

Hello Elmar,

Thank you for the reply.

Yes if the subnet mask is /24 then no overlapping. In that case you’re correct you don't need a bridge.

Can you a drop-packet-capture to see what happens when the PC is pinging.

console> drop-packet-capture 'host x.x.x.x and proto ICMP' (where x.x.x.x is the IP of the computer doing the PING)

Regards,

Hello Elmar,

Thank you for the reply.

Yes if the subnet mask is /24 then no overlapping. In that case you’re correct you don't need a bridge.

Can you a drop-packet-capture to see what happens when the PC is pinging.

console> drop-packet-capture 'host x.x.x.x and proto ICMP' (where x.x.x.x is the IP of the computer doing the PING)

Regards,