Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 2145 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Traffic between LAN devices

Ed Reed1

I have a NAS on the LAN that all Windows workstations are able to access except for one. I have an XG125 with a very simple configuration, only one Internal firewall rule, all the LAN ports, Port1, Port4, Port5, Port6, Port7, and Port8 are bridged. No other computers are affected. I don't know why this one machine is unable to connect. I can ping the NAS from this machine, I can SSH into the console from this machine, but I can not reach the web admin console port, or the drive shares. I've turned off the firewall on the workstation but the log on the XG continually shows Invalid Traffic between the workstation and the NAS. Any thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    Invalid Traffic is most likely not an issue. https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/InvalidTrafficEvents/index.html

    Most likely a application issue. And the firewall logs the closure of the application. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I'm still suffering with this problem of not being able to reach the NAS from one specific machine and I'm convinced that this is a problem with the XG125. Additionally, I just recently discovered that I have another machine that cannot reach the NAS. I have a Canon MFP that I used to be able to scan documents and have them saved to a destination directory on the NAS. With the XG125 in place, that functionality does not work. As a test, I reinstalled my old router that I replaced with this XG125, a Cisco RV325. When the Cisco is used instead of the XG125, all the machines can connect to the NAS with no problem. As soon as I plug the XG125 back in, the Windows machine and the MFP can no longer connect. WTF!!!

  • 0 in reply to Ed Reed1

    Hi,

    the Canon is probably using a non routable protocol, not an IP address and the PC is probably using MS local LAN protocols which also do not route. The Cisco switch is just a local switch which does not perform any firewall/security functions between internal ports only between the wan and internal ports.

    You will need to setup firewall rules to allow traffic between the various ports.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    That doesn't explain why all eight other Windows 10 and 11 machines on the same LAN have no problem communicating with the NAS, without having to create a special firewall rule. It's only these two devices with the problem and everything are all in the same Zone, including wireless, which also does not have a problem connecting to the NAS. As I said in the original post, this is a very simple configuration. Even when I try swapping the ports these devices are connected to with ports that work for other machines, they still can't connect. What the hell is going one? 

  • 0 in reply to Ed Reed1

    What happens when the devices are all on the same network? For the devices to see each other across different networks you must have some form of link or firewall rule in place.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ed Reed1

    Hi,

    you could cleanup your rule list, that will make debugging easier. You have a number of  drop rule which can be removed, anything that does not match your allowed rules will drop through to the default  drop all.

    Further you could remove that mail rule because all traffic will be passed by the allow all rule below it. Then you can setup specific mail rule using LAN zone LAN network - wan, any INAP/s POP/s, SMTP/S and using the mail scanning functions.

    Please check the configuration of the failing PC check that it has IP for general use enabled, compare to a working PC.

    I assume you have a switch with your devices connected to it and everything on the one Lan, so the traffic errors you are seeing are broadcast traffic being rejected by the firewall.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    As you can see in the previous image, the Drop rules were not created by me. They're the Example rules created by the router when it is out of the box. The Email rule was automatically created by the router as well. The description of the rule says, "This rule was added automatically by SFOS MTA. However you could edit this policy based on network requirement." As for the IP configuration of the devices that can't connect, they're both configured as DHCP with the router performing as the DHCP server. The MFP is assigned a static reservation while the workstations are not. All the devices on the network are configured this way. The NAS also receives a static reservation from DHCP.  Here's the new rule list.

  • 0 in reply to Ed Reed1

    Please review the connection details of the failing PC in detail, compare the IP setup in the advanced tab. I understand about the default settings, they are bit of an open setup, but the aim is to get you connected while you refine your connection rules.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I don't know what you're trying to get me to find but I compared three workstations, two Win11, one Win10, and the network properties all look the same across all the tabs, with the exception of the NIC properties, of course.

  • 0 in reply to Ed Reed1

    What I am asking about is the WINS settings - Advanced TCP/IP NETBIOS settings - default.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • 0 in reply to rfcat_vk

    Ok, settings on the WINS tab are identical on all three machines

  • 0 in reply to Ed Reed1

    In that case you need to start capturing the traffic so you can review where it is failing.

    How is your network connected to the XG?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The firewall should not be involved in this scenario. It is a LAN to LAN Segment (Broadcast to the same domain). 

    Can you show us your LAN interfaces? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Well, i don't know how much it'll help. As I mentioned originally, the ports are all bridged, but here it is.  

  • 0 in reply to Ed Reed1

    How many devices connect directly to the XG and how many switches are you using?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    i won't be able to do any traffic captures until the weekend, but the network layout is very simple. The NAS is connected to port 8 of the XG125, The WAP is connected to port 5, all other wired devices are connected to an HP J956a 16port switch, which is connected to port 1 on the XG125. My intention for putting the NAS on a specific port was eventually I wanted to perform some creative routing for the NAS but I have to be able to access the NAS from all the devices on the LAN before I can ever consider creative stuff with it.

  • 0 in reply to Ed Reed1

    It looks like you need to enable Permit ARP broadcast.

  • 0 in reply to core_memory

    Permit ARP broadcast hasn't helped either. I hate this POS firewall. I finally gave up and moved the NAS to a port on the HP switch and now the workstations can see the NAS again. Anyone want to buy an XG125 piece of *** firewall? You'll find it on ebay for 10 bucks or maybe at my local garbage dump (i'm not so bad of a person to subject anyone else to this kind of torture).  Life is too short to waste so much time on something that should work in a simple configuration out of the box. Goodbye Sophos, and good riddance. Never again will I waste my time and money on your products, personally or professionally. I'd rather put my entire network directly on the internet without any firewall rather than continue to fight with this piece of ***.!!!!!!!!! Don't bother replying either, I won't be back to read your response.

  • 0 in reply to Ed Reed1

    There are two different situation. You could actually disable two different things as well: 

    https://support.sophos.com/support/s/article/KB-000038900?language=en_US

    Or try to disable the fastpath: 

    console> system firewall-acceleration show

    But anyway, you did not create a support case i guess? Because the community is not a support channel. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?