Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Vlan rule look correct for any vlan to talk with any other and out to the Internet?

Hello,

 

I added several Vlans to interface A. I made a rule, and not sure if I have it formatted correctly. I do not have anything on the other vlans yet so can not test.

 

Under Firewall - Rule

1. rule name: Vlans

2. Source Zones - LAN VPN WIFI

3. Source Networks and Devices  - Any

4. During Scheduled Time - any

5. Destination Zones - LAN WAN

6. Destination Networks - Any

7.  Services - Any

8. Match Known Users -  Users or Groups - Any

9. Malware scan - HTTP & FTP

Advanced

 

Synchronized Security

 

both set to no Restriction

NAT & Routing - rewrite source address (MAsquerading)

And for most things I always log traffic.

 

Any thoughts or changes I should set?

 

Chad



This thread was automatically locked due to age.
Parents
  • Your destination needs to have the 'lan' removed and your destination zone probably should be 'any'.

    If you desire some of your VPN users to access local devices you need another rule.

  • Thank you for the Advice and update, so below is the rule settings I have now:

    Under Firewall - Rule

    1. rule name: Vlans

    2. Source Zones - LAN VPN WIFI

    3. Source Networks and Devices - Any

    4. During Scheduled Time - any

    5. Destination Zones - Any

    6. Destination Networks - Any

    7. Services - Any

    8. Match Known Users - Users or Groups - Any

    9. Malware scan - HTTP & FTP

    Advanced


    Synchronized Security

     

    both set to no Restriction

    NAT & Routing - rewrite source address (MAsquerading)

    And for most things I always log traffic.

  • Cmp9200,

    Is it working now? I mean are you able to surf on internet?

    If yes make sure to mark this helped me on the rfcat_vk reply so the thread is marked as resolved.

    If not, make sure to authenticate in some way because on the firewall rule you ticked "match know users". To surf without authentication uncheck that checkbox.

    Regards

  • Hello,

     

    I am going to assume since the rules listed are correct, it will or world work.

    AT&T Uverse Internet DSL service and their DSL Modem / Router is not all that friendly.

    Last night I had to factory reset it. They do not support bridge mode / transparent mode, and when it was installed, I tried using the setting that sort of gives you bridge mode.

    It did give the external WAN I.P. to the XG device / connection, but since I had been testing between it and a Linksys router, and needed to run my Samsung Blu-ray player through the Linksys just to stream. It say the second router, the Linksys but it gave it an internal NAt / Private address on the 192.168.1.x address scope. And there was no way to flip the external WAN I.P. between the router & XG.  Their modem does not support VLans. AT&T wants you to use their modem / router to do your NAT and port forward rules and firewalling.

    So after factory reset, the AT&T modem WAN has the public WAN I.P. address and everything behind it currently uses it's NAT and DHCP function.

    I am thinking to just either keep XG as a gateway mode and run it behind the AT&T modem router and have the AT&T firewall turned off on the connection to the XG, and try to use the XG that way. Else I see the XG can run in bridge mode and not sure if that would give me what I want and still provide the Intrusion prevention, malware, spyware and virus services.

    Long story short I need to figure out how or what I want to do for my network behind the AT&T modem. The AT&T modem does DHCP, NAT, (or Pnat I think it is also called, does not do SNAT or DNAT) Port forwarding and basic Firewall. But no VPN, no malware, virus or intrusion detection / prevention.  But I think I can tell the AT&T modem to have firewall off so it should send all ports and services to what would be the WAN connection of the XG, and then still let XG do my NAT, routing, portforward and everything else. Just need to figure out what Private address range I want to use between the AT&T and the XG WAN port. Basically I would be double NATting. XG NAT my internal LAN through the I.P. of the XG WAN (which would still be a 192.168.x.x and then the AT&T modem would take that and NAT it to the WAN IP which is the valid Internet I.P. address. Rather have the modem in Bridge mode, and not have to address translate any more than needed.

    But I will mark this as resolved or answered.

     

    Thank you for the help and ideas.

    Chad

  • Chad,

    strange that your configuration is not working. Send me a PM and I will have a look.

    XG in bridge mode is still able to intercept traffic and scan traffic, removing malware,etc...There are some features that are not avaiable at the moment,

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/76233/bridge-mode-limitations

    Adding NATTING can also introduce more overhead. I like to have only one appliance to do natting otherwise you need to do dual NAT whenever you need to publish a Web Service from WAN to LAN.

    Regards,

  • Hello,

     

    I will see if I can get to that today. I am replacing my Cisco 2948 G switches with Cisco 3560G switches. I will be setting up a separate Vlan area for the LAN side of the XG so hopefully I can more easily test and keep the XG and the Linksys home router up and running.

    Chad

Reply
  • Hello,

     

    I will see if I can get to that today. I am replacing my Cisco 2948 G switches with Cisco 3560G switches. I will be setting up a separate Vlan area for the LAN side of the XG so hopefully I can more easily test and keep the XG and the Linksys home router up and running.

    Chad

Children
No Data