Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Subscribers 34 subscribers
  • Views 75117 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding another NIC totally breaks XG Firewall and all dependent rules

Timothy Stewart

Hi.  I have been running XG firewall with 2 NICs - LAN and WAN.  I decided to add another for DMZ and it totally breaks the firewall.  All NICs get reassigned.  Port 1 LAN becomes DMZ, Port 2 WAN becomes LAN, and the newly added Port 2 becomes LAN instead of the unassigned DMZ.  This is crazy.  It wouldn't be so bad if it didn't break all of my rules the depend on Port 2 being WAN, which means when I reassign the new Port 3 to WAN the interface name changes and all business rules that depended on Port2_GW_DHCP get abandoned since this interface no longer exists.

Is this expected?  Is there a simple way to rename ports and reassign them to their old name, role, and position?  This seems like a major bug.



This thread was automatically locked due to age.
  • 0
    Is there a way to add a NIC as unassigned rather than it assigning itself to existing NIC assignments?
  • 0
    Has anyone run into this after adding a NIC to a system that is already configured?
  • 0
    So it looks like I am off in the weeds or no one has ever added another NIC after XG Firewall was set up. I am really hoping an update allows me to add another NIC, without renaming existing, and adds in an "unassigned" state - that way I can choose what this NIC's role is. It looks like I am stuck, either without a DMZ or recreating all of my rules. Also, this seems to be the default behavior too when restoring an XG Firewall to slightly different hardware config so I am assuming it's not just me.
  • 0

    Sorry that no one has suggested a solution for you. I had a similar experience just after I first installed Sophos XG in a VM under ESXi. I added a NIC after the initial configuration, and it re-ordered my already configured NICs. I had not yet added any rules, so it was not much of a problem. I just had to figure out which vnic had been reassigned to my XG LAN port, so that I could log back in.

    If I remember correctly, someone had mentioned in a post that the XG interfaces (Port1, Port2, etc.) are assigned to NICs in MAC Address order, so I changed the ESXi-generated MAC Address of the newly added NIC to fall at the end of the list of installed NICS. This allowed me to preserve the assignments of the Ports / NICs from my initial configuration and have the new NIC show up as the last interface in XG.

    Good Luck,

    Will

  • 0 in reply to Will32
    Thank you for this! I am running ESXi too. I will give this a shot. You made my day. Nice workaround.
  • 0

    It seems as though this strategy may work until you reach 5 NIC's. When I add a Network Adapter from VMware, it seems to assign them in this order: 

    1. /sys/devices/pci0000:00/0000:00:15.0
    2. /sys/devices/pci0000:00/0000:00:16.0
    3. /sys/devices/pci0000:00/0000:00:17.0
    4. /sys/devices/pci0000:00/0000:00:18.0
    5. /sys/devices/pci0000:00/0000:00:15.1

    However, the XG Firewall seems to use this order:

    1. /sys/devices/pci0000:00/0000:00:15.0
    2. /sys/devices/pci0000:00/0000:00:15.1
    3. /sys/devices/pci0000:00/0000:00:16.0
    4. /sys/devices/pci0000:00/0000:00:17.0
    5. /sys/devices/pci0000:00/0000:00:18.0

    I've even attempted to add Network Adapters one by one, stopping the VM between each addition. Nothing seems to work. Any ideas?

  • 0

    hi i am also having this problems in addition i am passing a whole nic trough and i cant change the pci address order so xg totally crashes when i am adding on vSwitch port via ESX interface any ideas if it is possible to change the assigned NIC's to the PortX like it is in UTM via editing this file:  /etc/udev/rules.d/70-persistent-net.rules ?


    I am really hoping there is a solution, because i have WAN and LAN on my passtrough pci and WLAN and DMZ i would like to add via zwo vSwitch Port

  • 0
    Sadly the workaround didn't work for me. I too have 5 NICs on my ESXi host and creating a virtual NIC with a MAC address higher (or lower) than the connected ones did not work.
  • 0

    any update on the issue?

    is it possible to get someone from sophos involved in this threat, because if i cant fix this in my testing period it is impossible for me to deploy sophos at my company

  • 0 in reply to Timothy Stewart

    Just a thought. Maybe it would be easier to make a backup, reconfigure hardware, do basic setup and restore configuration from the backup.