XG Firewall - How to add and specific firewall rule for an specific dhcp range?

Question

Hi, im new with Sophos XG Firewall, mine is working greate, Im using a DHCP relay, so im getting my ips from my router (modem <--> router <--> sophos xg firewall <--> switch), and i have a default rule where im blocking proxies and apps that can make a tunel, but, in my router i have groups, like 192.168.110.10-20 = open social networks (given by mac reserve), but 192.168.111.1-254 = dhcp without youtube and social networks. I know (i think) how to make an app rule (I go to Applications/Application Filter i choose Add, then i clic on what i want to deny, and i have to set the "Action" Allow or Deny, i think in my case is "Deny"), but the part i have the question is, when im trying to add the second firewall rule, i dont know where i have to put my "DHCP Group", by the way, i just did the ip grup (Host and Services click on Add, set an Ip Range, input the information, click on Save. Host and Services, click on Ip Host Group at the top, and i just select the ip hos range)

Can anybody help me please? thanks.

When i add a new rule, i dont know where to make the referece for my ip range, the one i want to block :S

Thanks

This thread was automatically locked due to age.

Billybob · Accepted Answer

Hi Mike, there are a few things to keep in mind 
 1. Since you are only allowing a certain IP range in a rule, ONLY THOSE IPs will be allowed through that rule so the order of the rule would not be as important. Pay attention to your web filtering policy, that is where you are actually denying the traffic. 
 2. The firewall denies everything by default so you don't have to create a rule to deny traffic and then another one to allow traffic. 
 3. XG has built in layer 8 capability which means you can actually write rules for people instead of their IPs. If you using XG at home, look into client less authentication. 
 
 I suggest you download some of the guides http://docs.sophos.com/nsg/sophos-firewall/v16012/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FAppendixGGuides.html%23 and specially go through the web interface guide quickly for better firewall management. http://docs.sophos.com/nsg/sophos-firewall/v16012/PDF/Sophos%20XG%20Firewall%20Web%20Interface%20Reference%20Guide.zip 
 Good luck!

Billybob · Answer

The host range that you created under hosts and services > IP host can also be created directly within the firewall rule. 
 Create a new user/network firewall rule. Allow traffic as the screenshot below to customize your IP range 
 
 Turn off match known users and apply webfiltering policy. 
 
 I would try to control your content with webfilter first and use the default policy and deny not suitable for schools category. I usually get better results blocking or allowing categories through web filtering instead of application control. Customize the web filtering as needed as default school profile denies a lot more than just social networking.

Hope this helps.