VLAN Traffic Issues

Question

Hello, 
 I have XG Home setup on a server connected to a Cisco switch that has several VLANs configured. Everything works great, I've created the VLANs within Sophos as sub-interfaces on Port1 as follows: 
 Port 1: 172.30.1.1 Port 1.10: 172.30.10.1 Port 1.20: 172.30.20.1 Port 1.30: 172.30.30.1 
 And so on. 
 My switch is 172.30.1.10 and from the CLI of the firewall I can SSH to the switch but I can't from my workstation on VLAN 20 (Port 1.20). I figured I would start with the basics and setup rules to allow me to ping to get a feel for how it all worked.... this is where I'm having an issue. The following rule works without any issues (as expected): 
 Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from any network 
 When I try and restrict the source to VLAN 20 no traffic goes through at all - this is the rule: 
 Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from "#Port1.20" network 
 To me that reads anything on the network should be pingable from VLAN 20 but it's not. As soon as I re-enable the first rule though pings works fine. I suspect I'm missing something basic here. Any help would be appreciated.

BrianCarp · Accepted Answer

I find specifying sources and destinations by port designations to be a bit confusing. If you want to do it "correctly", why not set the rules to restrict by network instead? In other words, create proper Host IP objects (in Objects > Hosts and Services) for 172.30.1.0 and 172.30.20.0, and then maybe one rule: 
 
Source: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24 
Destination: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24 
What: Any Service 
Action: Accept

WayneBoyles · Answer

Brian - that worked perfectly. I didn't think about created IP Host objects! Thanks for the help, it's much appreciated.

VLAN Traffic Issues

Submitted a Tech Support Case lately from the Support Portal?