Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 1527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two identical VLANs, one can access Main VLAN, other cant

ChriZathens

Hello!

My journey with the XG has started with issues... Hope this is the last (still have an issue with WAF, but hope to get help there)

So - hopefully - this is the last issue I am facing, at least for now.

I have the main VLAN in the LAN zone and two VLANs (One Visitor, one IOT) in the DMZ zone.

I need them both to have access to some resources. For example, I have an Openspeedtest docker on my main vlan and wanted all clients, either in IOT, or in Visitor to be able to access IP_OF_Openspeedtest:8080.

I created a firewall rule for the IOT:

I created the exact rule for the Visitor:

From the IOT Vlan I can access http://IP_OF_Openspeedtest:8080 no problem. I can ping machines, connect via http all good

From the Visitor Vlan I can't access anything.. 

I went to diagnostics to test the policy and it says accepted 

I wanted to make sure that the rule I created was taken into regard, so I disabled it and performed a policy test again

I performed the same tests with the IOT Vlan. Disabling the rule I got a Blocked result and indeed I could not access the link above.

Enabling the rule again, I could normally access. But from the Visitor VLAN, despite getting the Allowed result, I can never access the resource above

So all seem as they should, however the problem still remains

Can someone please tell me where I can begin to look in order to find what is wrong?



This thread was automatically locked due to age.
Parents
  • 0

    1. from both VLAN's you can access the internet?

    2. from both VLAN's you can ping the default gateway (the XG-Interface within this VLAN)?

    3. post a traceroute-result from both VLANS to 192.168.1.184


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hello!

    1. Yes, both VLANs have internet access

    2. Yes, VLAN10 gateway is 10.10.10.1 and I can ping it. VLAN20 has gateway 10.10.20.1 and I can also ping it.

    3. The problematic VLAN is VLAN10. Traceroute in this gets nowhere

    In VLAN20 where things work OK, traceroute is fine:

    Am I missing something really obvious?? Disappointed

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Reply
  • 0 in reply to dirkkotte

    Hello!

    1. Yes, both VLANs have internet access

    2. Yes, VLAN10 gateway is 10.10.10.1 and I can ping it. VLAN20 has gateway 10.10.20.1 and I can also ping it.

    3. The problematic VLAN is VLAN10. Traceroute in this gets nowhere

    In VLAN20 where things work OK, traceroute is fine:

    Am I missing something really obvious?? Disappointed

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Children
  • 0 in reply to ChriZathens

    You should see the 10.10.10.1 at least .. within tracert.

    can you post the "route print" output from VLAN10-Device?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Of course. Here you go.

    Thanks a lot !

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
  • 0 in reply to ChriZathens

    can't see an error..

    can you try traceroute again and look for differences ...

    1. tracert from 10.10.10.3 to 192.168.1.184
    2. tracert from 10.10.10.3 to 8.8.8.8

    and double-check the netmask from booth 10.10.x.y interfaces at sophos XG.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hello again! This time it actually hit 10.10.10.1 (don't know why yesterday it didn't..

    But still no further luck

    Traceroute from 10.10.10.5 to 8.8.8.8. All seems normal

    And the result to 192.168.1.184 (I stopped it at 16 hops):

    Do you think I should try to create another VLAN to see what happens ?

    I am just scared that it might kill the one that is working (and this is the important one)

    The VLAN10 that has the problem only needs to access the internet really, but still I need to find out why this is happening :(

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
  • 0 in reply to ChriZathens
    ChriZathens said:
    The VLAN10 that has the problem only needs to access the internet really, but still I need to find out why this is happening :(

    I can understand you :-)
    A new VLAN would be worth trying.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to ChriZathens

    Hello there,

    If you SSH into the XG and do a drop packet capture do you see the traffic being dropped by the appliance?

    If you don't see traffic being dropped by the XG, try running a TCPdump on the incoming interface and exiting the interface of the XG via SSH. (You would need to open to SSH sessions)

    For example, if traffic is coming into Port1 via Vlan 10 you would do

    #tcdpump -eni Port1.10 host 10.10.10.3 and proto ICMP 

    and exiting on Port3

    #tcpdump -eni Port3 host 10.10.10.3 

    Can you share a screenshot of your Network interfaces involved in this scenario?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello and thanks a lot for your suggestions!

    I saw your message too late, unfortunately.. I ended up deleting VLAN10 and recreating it. And go figure... it is working now.....

    I did not even delete the firewall rule 

    I don't know if deleting the VLAN also deleted a weird setting somewhere that was causing the issue Disappointed

    I am happy that it started working but kinda disappointed that I will never understand what was causing the issue in the first place Disappointed

    I really appreciate all your effort and patience guys! 

    My migration from UTM to XG is almost 100% successful. The one thing that I can't figure out yet is the WAF issue I am having 

    If anyone would like to offer some insight Slight smile ===> https://community.sophos.com/sophos-xg-firewall/f/discussions/132738/dynamic-dns-issue 

    There are also a few stuff that I was used to in the UTM which are missing still from XG, but I believe in time they will be added Slight smile

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?