Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2465 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(XG) VLAN traffic showing up on unexpected interfaces

MBue

Hi all, 

User Kyle Sexson had this issue a while ago, too, but there’s no solution in his post - so… 

I have a set of VLANs running on a bridge interface. 
This works mostly well, but certain outgoing traffic will show up both on the bridge interface and the associated hardware port the traffic source is physically connected to.
This leads to a dropped server response because the router can’t associate it to the correct connection attempt.

E.g. log entry:

2022-12-27 14:50:31

Invalid Traffic

Denied

N/A

0

Port3

172.24.10.16

212.227.17.170

56111

993

TCP

0

1001

Open PCAP

Could not associate packet to any connection.

2022-12-27 14:50:22

Firewall Rule

Allowed

4

3

br0.10

Port4_ppp

172.24.10.16

212.227.17.170

56111

993

TCP

1

1

Open PCAP


My guess is that I’m having issues with a combination of VLAN on a bridge interface and activated “routing on bridge”. 
But the fact that only a certain (reproducible) part of traffic is affected makes me skeptical. The problem is for example triggered when trying to collect mail from GMX.net via IMAP/SSL (see log entry above) or by specific online banking apps. But other mail providers (also called via IMAP/SSL port 993) do work…

Detailed setup is as follows: 
XG106 running 18.5MR5 / Port 3 is connected to CBS350-10
XG106 Port 1-3 are bridged (br0, IP 192.168.2.222) with activated routing option. No DHCP. 
On the brigde, VLANS br0.10 / br0.20 / br0.30 / br0.40 are set up. IP-ranges are 172.24.10 / 20 / 30 / 40 respectively, with DHCPs.
CBS350-10 receives the four VLANs tagged from XG Port 3 and distributes them via untagged access ports (ge0 to ge3, one VLAN each).
Behind these ports are APX120 in brigde-to-LAN mode. 
(Reason is that the APX are in relatively uncontrolled environments and i want to make sure that even if someone detaches an APX and tried to hook up his own stuff, he always will end up in the desired VLAN).

Any input / thoughts very much appreciated! :) 



This thread was automatically locked due to age.
  • 0

    If someone detaches an APX120 and connects a different company's device then it will not seen by XG management, only be seen as a connected device. Your setup appears to be overly complex for a small XG.

    Please identify for usage type, business or home?

    You can lock devices by using clientless users and static IP address assignments so any unauthorised devices will not get an IP address that is in a valid user group and therefore no internet access.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hello Ian, 

    thanks for your reply - even if it’s not directly related to the routing error in question ;) 

    As for your question: 
    It’s a small business case, used in a holiday house with four apartments. 
    The appliance has to provide WAN access, four separated networks (privacy reasons) and some QoS for bandwidth distribution. No other tasks beyond that. 
    Both switch and firewall are in a locked tech room. Each apartment has an own APX due to a few reasons (coverage being one). 
    If someone decides to pull the APX and hook his own device, I’m totally fine if he’s getting internet access, as long as he’s forced into the defined VLAN. 

    So - I wouldn’t say it’s really overly complex?


    But what’s really unnecessary is the bridge over hardware Port1-3.
    Unfortunately, I realized that quite late in my setup. Means I’d have to rework all VLANs and related rule sets to get rid of that piece of beginner misconfiguration…

  • 0 in reply to MBue

    Hi,

    thank you for the detailed answer. Using a bridge will allow traffic between segments as you have found. You can still use VLANs just without the bridge. Setup new VLANs on a spare interface add that to your rule base for each VLAN, after you are happy  with the new configuration move the cable the new interface and disable the each bridge VLAN one by one to ensure you still have connectivity via the APXs.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    That is actually normal. It will be more likely a app issue. Check the app, if there is a problem. Invalid traffic is not a problem, instead just a symptom. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Not App specific. 
    E.G.: Mail App on iOS fetching Mail from four mail boxes via IMAP/port 993 - three work and keep their traffic on the VLAN interface, while the fourth shows the behavior described above. 

  • 0 in reply to rfcat_vk

    Hi there, 

    so, i’ve removed the bridge, moved the VLANs to a spare Port without IP. 
    This part has worked out so far. 

    I’m still experiencing some odd behavior as stated to   below.
    Added a ”allow all” rule (Source zone LAN, networks any, time any / Destination WAN, network any, Service any) with all security options disabled or set to “none” to make sure I’m not blocked by my own rules. Linked NAT ist set to MASQ. 
    Still, the connections behave as if there’s HTTPS scanning going on and certain sites don’t like man-in-the-middle (e.g. banking, IMAPS servers, iCloud and other Apple systems)

    Do i really have to set up exceptions for these, even though I’ve completely removed the security features on my test rule?  

  • 0 in reply to MBue

    What about SSL/TLS Inspection. Check the destination server via logviewer and go to detailled view. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I’ve had SSL inspection completely turned off on the rules and the respective tab (under “rules”) for testing. Same results….

  • 0 in reply to LuCar Toni

    p.s.: 
    I‘ll set up a new try tomorrow with completely disabled SSL-engine.

  • 0 in reply to MBue

    Hi,

    if I was setting this site up I would have a seperate firewall rule for each VLAN that makes debugging issues like this one simpler. I would not use linked NAT unless you have multiple ISP/RSP connections.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML