Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall blocks VPN → LAN traffic until it “sees” the destination host

SamHocevar

Our networks include a LAN (192.168.0.0/20) and a VPN area (172.x.x.0/24). There is a firewall rule allowing two-way routing between these two zones:

Now the problem we witness is that the firewall blocks VPN → LAN traffic unless it has seen traffic from the LAN host. . Initially, the above rule simply does not match:

This happens regardless of the protocol (ICMP, TCP, UDP…)

Indeed the policy tester indicates that such traffic is prohibited:

Now the really strange thing happens when I initiate random traffic from the LAN host (the destination in the above screenshots) that the firewall can see (e.g. connect to something on the internet, or broadcast a single UDP packet), and now suddenly the hosts gets “known” and VPN → LAN traffic is no longer blocked:

Then after some time of not seeing any traffic from the LAN host, the traffic is again blocked.

Does anyone understand what is happening?

Note: the issue appears unrelated to ARP, because it still happens if the target host is in the firewall’s ARP table (I even tried adding a PERM entry).



This thread was automatically locked due to age.
  • 0

    Hello Sam,

    Thank you for contacting the Sophos Community.

    Do you happen to have an overlapping network on the XG? 

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel, and thank you for having a look at this.

    I hope I understand your question correctly: by overlapping network, you mean distinct physical networks that share an IP range? If so, we do not have such a setup AFAIK.

    We do have subnets of 192.168.0.0 declared in Hosts and Services (192.168.2.0/24 and 192.168.3.0/24) for specific firewall rules, but they are physically part of the LAN.

    (Also I realise in my initial message I wrote our LAN was a /16 but it is actually a /20; I don’t believe it makes any difference).