Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 8197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG (sfos) v16 problems with routing

Björn Westin

Hi!

Im just setting up my first XG (sfos v16) for a customer. Have just migrated all rules from a pfSense and everything has gone great (some minor problems)

The customer has a cisco router located at their office that is tunneling to an external partners network. 

So this is the net layout.

XG ip: 192.168.0.254

Cisco router ip: 192.168.0.250.

So i naturally created some IPv4 unicast routes in the firewall.

I entered the destination ip's with a /24 netmask. inserted the gatewayadress 192.168.0.250 and selected the lan interface with distance 0.

Now when i go into diagnostics/route lookup and input the destination ip it correctly presents that the correct port and ipadress to the router 192.168.0.250.

But this doesnt work on the clients. What am i doing wrong?



This thread was automatically locked due to age.
Parents
  • 0

    Westin,

    Check the firewall logs if traffic is allowed to that network.

    If you see invalid traffic you are experiencing asymmetric routing. Let us know. thanks

  • 0 in reply to lferrara

    lferrara said:

    Westin,

    Check the firewall logs if traffic is allowed to that network.

    If you see invalid traffic you are experiencing asymmetric routing. Let us know. thanks

     

     

    As far as i can see when i trace it doesnt show the ip of the cisco router it just shows the firewall ip and then tmeout.
    Do you mean in the log viewer cause there i cant see anything blocked or allowed to that ip. is there a generic firewall log that shows everything?

    Do i need firewall rules when routing from lan to lan?

  • 0 in reply to Björn Westin

    Björn,

    connect to XG cli and use the drop-packet-capture "remote ip" and see if there is some blocked traffic.

    Thanks

  • 0 in reply to lferrara

    ok. i used the one in the webgui and found  this:

     

    Time
    In Interface
    Out Interface
    Ethernet Type
    Source IP
    Destination IP
    Packet Type
    Ports[src,dst]
    Rule ID
    Status
    Reason
    2016-11-12 22:11:33
    PortE0
    PortE0
    IPv4
    192.168.0.51
    xxx.164.6.220
    UDP
    51637,53
    0
    Violation
    Firewall
    2016-11-12 22:11:33
    PortE0
    		  
    IPv4
    192.168.0.51
    xxx.164.6.220
    UDP
    51637,53
    0
    Incoming
    		  
    2016-11-12 22:10:35
    PortE0
    PortE0
    IPv4
    192.168.0.52
    xxx.164.6.220
    UDP
    62913,53
    0
    Violation
    Firewall
    2016-11-12 22:10:35
    PortE0
    		  
    IPv4
    192.168.0.52
    xxx.164.6.220
    UDP
    62913,53
    0
    Incoming
    		  
    2016-11-12 22:10:33
    PortE0
    PortE0
    IPv4
    192.168.0.51
    xxx.164.6.220
    UDP
    51056,53
    0
    Violation
    Firewall

    But what does that mean? Do i have to add a firewall rule to allow traffic to a static route? or is it some kind of intrusion prevention that is missbehaving?

  • +1 in reply to Björn Westin

    If the remote network is xxx.164.6.220, yes you need to add Firewall rule to allow traffic.

    Regards,

  • 0 in reply to lferrara

    ok. I added a rule containg all the ipadresses and everything seems to work now. Atleast the dnsquery goes through now. 

    Never occured to me that you needed firewall rules for a lan to lan route.

    Thanks for you assistance :)

    Will do more precise tests on monday and see that everything works.

  • 0 in reply to Björn Westin

    Björn,

    This behavior improves security. In this way you can allow only certain protocols and have logs too.

    Thanks

Reply Children
No Data