Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 33760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Traffic Issues

WayneBoyles

Hello,

I have XG Home setup on a server connected to a Cisco switch that has several VLANs configured.  Everything works great, I've created the VLANs within Sophos as sub-interfaces on Port1 as follows:

Port 1: 172.30.1.1
Port 1.10: 172.30.10.1
Port 1.20: 172.30.20.1
Port 1.30: 172.30.30.1

And so on.

My switch is 172.30.1.10 and from the CLI of the firewall I can SSH to the switch but I can't from my workstation on VLAN 20 (Port 1.20).  I figured I would start with the basics and setup rules to allow me to ping to get a feel for how it all worked.... this is where I'm having an issue.  The following rule works without any issues (as expected):

Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from any network

When I try and restrict the source to VLAN 20 no traffic goes through at all - this is the rule:

Accept "ICMP" and " ICMPv6" services going to "LAN" zone, when in "LAN" zone, and coming from "#Port1.20" network


To me that reads anything on the network should be pingable from VLAN 20 but it's not.  As soon as I re-enable the first rule though pings works fine.  I suspect I'm missing something basic here.  Any help would be appreciated.



This thread was automatically locked due to age.
Parents
  • 0
    Might you also need a policy for the packets to travel back from your switch to your workstation (that is, packets coming from #Port1)? That might explain why universal LAN-to-LAN works, but not if you restrict the source to #Port1.20.
  • 0 in reply to BrianCarp
    Brian,

    Thanks for your reply. I have tried that and unfortunatley that still isn't working. I may be going about this the wrong way I'm not sure but I'm having lots of little problems with this release. Anyways, the two test rules I created (and turned off the global one that works) are:

    Rule Temp
    Source: LAN #Port1.20
    Destination: LAN Any Host
    What: Any Service (not restricting for the test)
    Action: Accept

    Rule Temp 2
    Source: LAN #Port1
    Destination: LAN #Port1:20
    What: Any Service
    Action: Accept

    This results in the same as before with no traffic flowing or even hitting the rules as far as I can tell. I wish Live Logs were implemented I do miss that from UTM 9!

    Maybe I'm overthinking things, as long as I'm secure from the outside-in then internal communication isn't really an issue if everything can talk to each other, I just wanted to try and setup it up 'correctly' and only allow certain parts to communicate.

    Thanks,

    Wayne.
  • 0 in reply to WayneBoyles
    I find specifying sources and destinations by port designations to be a bit confusing. If you want to do it "correctly", why not set the rules to restrict by network instead? In other words, create proper Host IP objects (in Objects > Hosts and Services) for 172.30.1.0 and 172.30.20.0, and then maybe one rule:

    Source: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24
    Destination: LAN // Networks: 172.30.1.0/24, 172.30.20.0/24
    What: Any Service
    Action: Accept
  • 0 in reply to BrianCarp
    Brian - that worked perfectly. I didn't think about created IP Host objects! Thanks for the help, it's much appreciated.
Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?