Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Server on Different Interface not Reachable from LAN

Hermann

I have a server on interface A with its own zone and a static IPv4. It is not reachable from the LAN zone on interface B, even though I have a firewall rule with logging on top of any other rule that says allow from LAN, Any host to Server_Zone, Any host Any service (only for testing purpose). The policy test just says it blocked, because it has no matched rule. There is nothing in the Log viewer. The status of interface A says connected with the correct link speed.

What am I missing to enable inter-interface connections?

Thank you very much in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Can you show us a screenshot of your interface definition, please?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Hermann

    For clarity reasons, I changed the interface slightly:

    It is connected:

    And also leases IPs over DHCP:

    The firewall rule number 1 should actually allow everything:

    Which now seems to work according to the policy tester. I can also ping 172.16.53.53 through the Sophos web GUI, but not directly from my workstation in the LAN zone. I also cannot connect via SSH.

  • +1 in reply to Hermann

    Your interface IP on Port3 seems to be incorrect: are you really using 172.16.53.0 ?

    This is the complete network, you should use 172.16.53.1 for Port3 for example. And then your server in that Zone could use  172.16.53.53, if you want. The gateway that your DHCP server for that network will deploy is the 172.16.53.1, then.

    After these changes, you setup should begin to fly.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    Thank you very much for your answer and your time. Slight smile

    I changed the port3 interface to 172.16.53.1, my server still gets the 172.16.53.53 IP and shows the correct host name under the DHCP lease page, I can still ping through the Sophos Web GUI and the policy tester says it accepts a connection from a LAN IP to the server or from the server to the WAN zone, however from my workstation in the LAN zone I cannot ping the server nor establish an SSH connection.

    Am I free to choose the interface IP or did I make an incompatible choice with 172.16.53.1 for the port3 interface?

  • 0 in reply to Hermann

    I changed the interface IP to 172.16.53.1/24 and recreated the DHCP server for this interface - now it works. Thank you very much! It flies now. ;) 

  • 0 in reply to Hermann

    Please read again, you gave 172.16.53.0 to your interface. Not 172.16.53.1 !

    The 172.16.53.1 is perfectly ok.

    So the two members of your network are 172.16.53.1 and 172.16.53.53. That should work.

    If you want to access the WAN zone from your PI_Zone, then you need another fw rule to allow that AND you need to MASQ that zone, because you are coming from a private IPnetwork and access a public network.

    For access from the LAN zone you already have a fw rule and don't need to MASQ there. Is your server at 172.16.53.53 having the correct gateway and subnet mask? Please check.

    The gateway has to be the interface IP of Port3, which is 172.16.53.1, as per recommendation above.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Hermann

    Please read again, you gave 172.16.53.0 to your interface. Not 172.16.53.1 !

    The 172.16.53.1 is perfectly ok.

    So the two members of your network are 172.16.53.1 and 172.16.53.53. That should work.

    If you want to access the WAN zone from your PI_Zone, then you need another fw rule to allow that AND you need to MASQ that zone, because you are coming from a private IPnetwork and access a public network.

    For access from the LAN zone you already have a fw rule and don't need to MASQ there. Is your server at 172.16.53.53 having the correct gateway and subnet mask? Please check.

    The gateway has to be the interface IP of Port3, which is 172.16.53.1, as per recommendation above.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to jprusch

    Thank you for your reply. After your comment, I changed the interface IP to 172.16.53.1. It started working after this change and recreating the DHCP server. Gateway is 172.16.53.1 (per default).

    I didn't specifically MASQ it, but set up the following firewall rules. So far I did not encounter any problems. Should I expect some? Is it bad practice to cover it with the default #NAT_default_network_policy?

    NAT policy:

    Source: Any host
    Service: Any service
    Destination: Any host
    Source: MASQ
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface

    PI_ZONE_TO_WAN firewall rule:

    Source & schedule: PI_Zone
    Source networks and devices : Any
    During scheduled time : All the time

    Destination and services: WAN
    Destination networks : Any
    Services : DNS, HTTP, HTTPS,5353

    and LAN_TO_PI firewall rule:

    Source & schedule: LAN
    Source networks and devices : MAC List
    During scheduled time : All the time

    Destination and services: PI_Zone
    Destination networks : Any
    Services : HTTP, HTTPS, PING, SSH, 8888

    It only serves internally as a server with some monitoring pages and will act as a DNS-server for the whole network. It won't be accessible from WAN.



    formatting
    [edited by: Hermann at 6:05 PM (GMT -7) on 16 Mar 2022]
  • 0 in reply to Hermann

    Hello,

    this looks OK now for me.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?