SOPHOS XG Home Inter LAN Traffic

Question

So, still in the middle of migrating from UTM9 to XG and experiencing growing pains. Totally retooling my network and I am having trouble understanding a problem that I have run up against. I have a managed switch that I have my wireless VLANs on (ports 1 and 2). I also have an NVR connected to the same switch on port 3. Ports 1-4,8 all have the PVID of 20. On XG, I have assigned a static IP to the NVR and after rebooting, the NVR receives that IP address and it is properly assigned for the 20 VLAN, so I know that it is talking to the XG. If I plug my laptop into port 4, I also get a proper IP address on the 20 VLAN, but I am not able to 'see' the NVR. Ping returns 'host unreachable' or similar and all packets fail. 
 I guess my question is - does the traffic from my laptop go all the way back to the XG or does the switch send it straight to the NVR? I am not a network pro or anything but as I understand it, the traffic should not go back to the XG. Can someone educate me? I have been wrestling with it for hours and I would appreciate it if someone could set me on the right path so that any more time that I spend is not wasted. Also, I don't see any dropped traffic in the XG logs. 
 Here is my network map: 
 
 Thanks in advance for any assistance.

rfcat_vk · Answer

Hi, 
 if you are receiving an IP address when you plug your laptop into port 4 you do not have your VLANs setup correctly. The switch connection to the XG should be on a tagged port all other devices should be on untagged ports. 
 Ian

Prism · Answer

Don Fisher1 said: I guess my question is - does the traffic from my laptop go all the way back to the XG or does the switch send it straight to the NVR? 
 When two devices or more are on the same VLAN, the Switch will manage the traffic between them and It won't reach the Firewall. 
 But when they are on different VLAN's, the traffic will be sent to the Firewall - If you don't have a matching Firewall Rule that allows traffic between those internal networks the traffic will be dropped. 
 Be aware, depending on how the AP is programmed, when two devices that are on the same SSID/VLAN are connected through the same AP, the AP itself will route the traffic between them - when this happens neither the Firewall nor the Switch will see (route) the traffic. 
 PS; I've already used the same switch before. (And your VLAN's setup looks weird, you should look at tp-link websites for more examples.)

Don Fisher1 · Answer

Ok, I figured it out. I had a couple of things going on that I did not fully understand and accidentally fixing one led me to fixing the other. Non-VLAN aware traffic that is going to traverse a VLAN has to travel over ports that are untagged. I 'knew' that based on the research I had done regarding the switch and VLANs in general, but making changes to that setting did not make any difference, so I questioned its veracity. 
 The second part is that I had Client Isolation set up on the VLAN on the APs. I misunderstood this feature to mean that the VLANs were separate from each other, but that is the nature of a VLAN in the first place. Once I turned that off, the members of the same VLAN (both VLAN-aware and non VLAN-aware clients) were able to communicate. 
 After fixing that, I went back to the VLAN settings on the switch and changed the incorrectly tagged ports to untagged and then everyone was happy. 
 I am now seeing weird denied traffic in the logs and I have to start digging around in the rules and policies to figure that part out. 
 Thanks to Prism and rfcat_vk for commenting. You helped bump me in the right direction.

SOPHOS XG Home Inter LAN Traffic

Top Replies

Submitted a Tech Support Case lately from the Support Portal?