Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2002 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Doorbird doesn't work behind Sophos XG Firewall

David Asmuth

We have a Doorbird-doorbell behind our Sophos XG Firewall with Firmware....

I also read these articles:

https://community.sophos.com/sophos-xg-firewall/f/discussions/125260/doorbird-connected-to-sophos-xg

The article says using SSL/TLS-Decryption this is the solution but I tried it and it doesn't work, too: https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption

So here is another article with the same problem and also no solution:

https://community.sophos.com/sophos-xg-firewall/f/discussions/128958/doorbird-connected-to-sophos-xg-with-no-external-access/473281?focus=true#473279

I posted the details in the article above but I am afraid nobody see it in the discussion. So I open this new question.

Here is my summary:

The Doorbird doesn't get a connection with the XG-Firewall.

Have the same rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/128958/doorbird-connected-to-sophos-xg-with-no-external-access/473281?focus=true#473279:

Additional I added an SSL/TLS Inspection-Rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption:

But I see a lot of errors in the log:

And I also see this in capturing mode - the Local-ACL-violation is strange. Tried this Question to help but I don`t understand a solution:

https://community.sophos.com/sophos-xg-firewall/f/discussions/102533/local_acl

This is the detail-view:

Packet information
Ethernet header
Source MAC address:1c:ca:e3:7b:0c:8e
Destination MAC address: ff:ff:ff:ff:ff:ff
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:192.168.0.60
Destination IP address:255.255.255.255
Protocol: UDP
Header:20 Bytes
Type of service: 0
Total length: 49 Bytes
Identification:0
Fragment offset:16384
Time to live: 64
Checksum: 31192
 
UDP Header:
Source port:3074
Destination port: 35344
Length: 29
Checksum: 47622

So I don't know what to do. I changed the doorbird hardware but with the new part it's still the same problem. So I think it's an FW-Error.

Please - is there anyone with a solution?

I couldn't find it in the other questions. A lot of people describe the same problem but nobody has an answer.

David



This thread was automatically locked due to age.

Top Replies

  • in reply to David Asmuth +1 suggested

    If so, the firewall will actually ignore the packets. 

    So lets recap quickly on what is going on: 

    The device is doing a broadcast, its like screaming in a room, hoping somebody is answering. 

    If you have multiple network segments, its like having multiple rooms in a house. Your device only screams in the living room, your application is in another room. 

    Most products cannot "forward" this scream, as this is highly untwanted by a network administrator. There are reasons not to forward this. And the firewall does not know, in which room in has to forward this etc. 

    What you can do: You could increase the room size by building a network bridge. This means, it will increase the subnet of the network to a bigger size network. 

    Can you link us a screenshot of your interfaces? Where is the application / mobile device? 

    PS: This packets will not reach the Internet in any way. You cannot configure that. So it seems like you have to configure the device with a mobile app first. 

    Jump to answer
  • 0 in reply to LuCar Toni

    You see the blocked packages from the Sophos log in my first screenshot. But instead of Sophos I tried OPNSense and now it works. So it is definitely a problem from Sophos. I am frustrated enough from the XP (slowly interface, no Letsencrypt-Support and no solution for the doorbird-problem) so I give OPNSense a try for the next weeks.