Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG, FritzBox, ESXi, SIP and VLAN configuration

Hallo Forum,

ich bin kurz vorm Verzweifeln, da ich mein gewünschtes Setup einfach nicht zum laufen bringe.

Im Grunde handelt es sich darum, dass meine IP-Türsprechanlage (Mobotix T25) über meine FritzBox an meinem FritzFon per SIP anrufen soll, wenn jemand an der Türe klingelt.

 

Folgende Konstellation:

1 physikalischer Server, auf dem vmware ESXi läuft.

Darin Sophos XG als VM mit 3 vNICs:

1. vNIC: WAN, Einwahl über ein Allnet VSDL-Modem und PPPoE ins Internet

2. vNIC: LAN, 192.168.177.1 / 255.255.255.0, Portgruppe mit VLAN ID 0 in ESXi

3. vNIC: LAN, 192.168.178.1 / 255.255.255.0, Portgruppe mit VLAN ID 5 in ESXi

 

Als Switch dient ein HP 2530 (Layer 2). Der Port zur Türstation ist untagged mit der VLAN ID 5, der Port zum Server ist untagged mit der ID 1 und tagged mit der ID 5.

 

Sämtliche PCs und Hardware hängen im Netz 192.168.177.0, nur die Türstation (192.168.178.10) soll im Netz 192.168.178.0 mit VLAN ID 5 hängen. Ich hoffe mit dem VLAN besser vermeiden zu können, dass evtl. jemand die Türstation gewaltsam entfernt, an das herumbaumelnde Netzwerkkabel sein Notebook anstöpselt und in mein Netzwerk eindringt...

Eine Fritzbox (192.168.177.5) nutzt als Client die Internetverbindung der XG und dient als VOIP-Station. Zu dieser Fritzbox soll sich die Türstation mittels SIP verbinden.

Um die beiden Netze miteinander zu verbinden habe ich in der XG zwei statische Routen hinterlegt: 

Destination IP 192.168.177.0 / 255.255.255.0

Gateway -

Interface 192.168.177.1

 

Destination IP 192.168.178.0 / 255.255.255.0

Gateway -

Interface 192.168.178.1

 

Des weiteren habe ich eine Firewall Rule angelegt:

Source LAN, 192.168.177.5 sowie 192.168.178.10

Destination LAN, 192.168.177.5 sowie 192.168.178.10, any Services

alle weiteren Optionen sind deaktiviert

 

In der Türstation ist die statische Route eingetragen: 192.168.177.0 / 255.255.255.0, Gateway 192.168.178.1

In der FritzBox ist die statische Route eingetragen: 192.168.178.0 / 255.255.255.0, Gateway 192.168.177.1

 

Mit meinem PC (192.168.177.99) kann ich mit dieser Konfiguration auf die Türstation (Webinterface) zugreifen. Dort kann man auch beliebige IPs von der Kamera aus pingen lassen oder bspw. den DNS abfragen (192.168.177.30). Funktioniert alles wunderbar. Die Türstation kann sich allerdings als nicht als SIP-Client mit der Fritzbox verbinden. Im Log der Türstation erhalte ich folgenden Fehler: Registration of user 620 on sip:192.168.177.5:5060 failed: 404 Not Found

 

An den Zugangsdaten zur FritzBox liegt es nicht. Ich habe die Türstation testweise mit der IP 192.168.177.4 versehen und aus dem VLAN 5 genommen, also ins selbe Netz wie die FritzBox gehängt. So funktionierte alles wie gewollt.

Wo habe ich etwas übersehen, was habe ich vergessen? Macht das separate VLAN für die Türstation überhaupt Sinn oder könnte man das noch anders/besser lösen? 

Hättet Ihr sonst noch einen Hinweis für mich?

 

Vielen Dank und viele Grüße,

Tobi



This thread was automatically locked due to age.
Parents
  • Hello together,

     

    thank you for your fast replies!

     

    I try to explain my problem in English. I want to integrate my new IP-based Doorbell (Mobotix T25) in to my network. If someone rings the door, the T25 calls my phone via SIP and FritzBox. For security reason I'd like to separate the T25 from my LAN with a VLAN.

     

    1 physical server running with vmware ESXi 

    Sophos XG (VM) with 3 vNICs/Portgroups:

    1. WAN, connected to Allnet VSDL-Modem and PPPoE to Internet

    2. LAN, 192.168.177.1 / 255.255.255.0, portgroup with VLAN ID 0 in ESXi

    3. LAN, 192.168.178.1 / 255.255.255.0, portgroup with VLAN ID 5 in ESXi

    Windows Server (VM) with AD DC, DNS, DHCP. 192.168.177.30

     

    HP 2530 Layer-2 switch 192.168.177.10

    port connected to server is untagged with VLAN 1 and tagged with VLAN 5

    port connected to Doorbell is untagged with VLAN 5

    port connected to my PC is untagged with VLAN 1

     

    FritzBox 7330 SL (SIP/VOIP) 192.168.177.5

     

    Mobotix T25 Doorbell 192.168.178.10

     

    My Computer 192.168.177.99

     

    To connect both subnets 192.168.177.0 and 192.168.178.0 I created 2 static routes within Sophos XG:

    1. Destination IP 192.168.177.0 / 255.255.255.0
      Gateway -
      Interface 192.168.177.1
    2. Destination IP 192.168.178.0 / 255.255.255.0
      Gateway -
      Interface 192.168.178.1

     

    Furhermore I created a Firewall Rule:

    Source LAN, 192.168.177.5 and 192.168.178.10

    Destination LAN, 192.168.177.5 and 192.168.178.10, any Services

    all other options are deactivated.

     

    In the T25 webinterface I also created a static route: 192.168.177.0 / 255.255.255.0, Gateway 192.168.178.1

    And in the FritzBox the static route: 192.168.178.0 / 255.255.255.0, Gateway 192.168.177.1

     

    The situation:

    With my computer I can login to the T25 webinterface and within the webinterface I am able to ping several IPs in the 192.168.177.0 subnet or to reach to DNS server. But in the reverse way the T25 is not able to establish a VOIP-call with my FritzBox. In the T25 log: Registration of user 620 on sip:192.168.177.5:5060 failed: 404 Not Found

    I experimentally switched the T25 IP to 192.168.177.4 (and deleted the routes) - everything works perfect.

     

    Do You have a clou what I could have set up wrong?

    @Olli: No, there is no Traffic Shaping Policy for VOIP in my config.

     

    Thank you for your help!

    Tobi

     

Reply
  • Hello together,

     

    thank you for your fast replies!

     

    I try to explain my problem in English. I want to integrate my new IP-based Doorbell (Mobotix T25) in to my network. If someone rings the door, the T25 calls my phone via SIP and FritzBox. For security reason I'd like to separate the T25 from my LAN with a VLAN.

     

    1 physical server running with vmware ESXi 

    Sophos XG (VM) with 3 vNICs/Portgroups:

    1. WAN, connected to Allnet VSDL-Modem and PPPoE to Internet

    2. LAN, 192.168.177.1 / 255.255.255.0, portgroup with VLAN ID 0 in ESXi

    3. LAN, 192.168.178.1 / 255.255.255.0, portgroup with VLAN ID 5 in ESXi

    Windows Server (VM) with AD DC, DNS, DHCP. 192.168.177.30

     

    HP 2530 Layer-2 switch 192.168.177.10

    port connected to server is untagged with VLAN 1 and tagged with VLAN 5

    port connected to Doorbell is untagged with VLAN 5

    port connected to my PC is untagged with VLAN 1

     

    FritzBox 7330 SL (SIP/VOIP) 192.168.177.5

     

    Mobotix T25 Doorbell 192.168.178.10

     

    My Computer 192.168.177.99

     

    To connect both subnets 192.168.177.0 and 192.168.178.0 I created 2 static routes within Sophos XG:

    1. Destination IP 192.168.177.0 / 255.255.255.0
      Gateway -
      Interface 192.168.177.1
    2. Destination IP 192.168.178.0 / 255.255.255.0
      Gateway -
      Interface 192.168.178.1

     

    Furhermore I created a Firewall Rule:

    Source LAN, 192.168.177.5 and 192.168.178.10

    Destination LAN, 192.168.177.5 and 192.168.178.10, any Services

    all other options are deactivated.

     

    In the T25 webinterface I also created a static route: 192.168.177.0 / 255.255.255.0, Gateway 192.168.178.1

    And in the FritzBox the static route: 192.168.178.0 / 255.255.255.0, Gateway 192.168.177.1

     

    The situation:

    With my computer I can login to the T25 webinterface and within the webinterface I am able to ping several IPs in the 192.168.177.0 subnet or to reach to DNS server. But in the reverse way the T25 is not able to establish a VOIP-call with my FritzBox. In the T25 log: Registration of user 620 on sip:192.168.177.5:5060 failed: 404 Not Found

    I experimentally switched the T25 IP to 192.168.177.4 (and deleted the routes) - everything works perfect.

     

    Do You have a clou what I could have set up wrong?

    @Olli: No, there is no Traffic Shaping Policy for VOIP in my config.

     

    Thank you for your help!

    Tobi

     

Children
  • Tobi,

    There are some modifications that I suggested:

    • use one port on XG where you create 2 additional VLANS, 10 and 5
    • On the HP switch, edit the port that connects to XG from untagged to tagged with vlan 1, 10 and 5 (vlan 1 cannot be removed from physical Interface at the moment)
    • Move your fritzbox and your computer to VLAN 10
    • Create needed firewall rule to allow traffic
    • remove static routing created on XG

    In this way the XG will act as a router on a stick and you can control all the vlans communication from XG.

  • lferrara said:

    Tobi,

    There are some modifications that I suggested:

    • use one port on XG where you create 2 additional VLANS, 10 and 5
    • On the HP switch, edit the port that connects to XG from untagged to tagged with vlan 1, 10 and 5 (vlan 1 cannot be removed from physical Interface at the moment)
    • Move your fritzbox and your computer to VLAN 10
    • Create needed firewall rule to allow traffic
    • remove static routing created on XG

    In this way the XG will act as a router on a stick and you can control all the vlans communication from XG.

     

     

    Hi Luk,

    thank you for your help. It took the whole day to set it up......but it also doesn't work.

    After removing the static routes in XG VLAN 5 and 10 can't speak to each other. With the static routes I can manage the Doorbell, but it can't call my phone. Some error in log as before.

    Do you have another hint?

    What firewall rule shall I create? Now I have LAN <-> LAN and any services allowed.

     

    Best regards,

    Tobi

  • Tobi,

    lan to lan is required if you did not create other zone. Send me a PM and I will have a look at your config.

    Regards

  • Hi Tobi,

    not sure if this helps in you scenario but somehow this sounds like a problem we had some time ago with LAN <> LAN traffic. It turned out to be a problem with asymmetric routing. After adding bypass rules in advanced-firewall (as suggested by Support) for both subnets (see https://kb.cyberoam.com/print.asp?id=2017 Step 3) the connections could be established.

    Andreas