Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 11814 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG, VLANs with Cisco Layer 3 Switch

Kevin Nelson

We have a few locations in which VLANS do not seem to be working properly with the Sophos XG firewall. Here is the rundown:

Each site has a native VLAN and a few additional VLANs. Our switch has IP routing enabled and all VLANs can communicate with one another. Each VLAN has its own interface IP/gateway.

From the switch, we have a trunk configured to the Sophos (210), plus objects to define each of the subnets/VLANs in the firewall. Masquerading is enabled, however, VLANs cannot browse. The only way we have been able to successful pass Internet traffic to the VLANs is by setting up a sub-interface/VLAN within the Network Interfaces with the appropriate VLAN tag on the Sophos.

To me, this appears to involve ROAS in addition to our routing on our layer 3 switch. Is this the way an XG is supposed to be configured our am I missing a step? I've browsed the forums and have bee unable to find a similar setup.

Thank you in advance.



This thread was automatically locked due to age.
  • 0

    Hi Kevin,

    If I am understanding this correctly, on your switch with IP Routing enabled you have a default route pointing to the Sophos IP address.  Your clients in the VLANs can most likely get their packets routed and NATed out to the internet but when the traffic returns through the Sophos trying to get to one of the VLAN subnets it has no clue where to direct it.  If you enter static routes for each of the VLAN subnets and use a gateway route IP address of the Layer 3 switch then things should work.  This is my assumption as you stated creating a VLAN/sub-interface on the Sophos physical port resolves the issue which is basically given the Sophos a way to access that VLAN directly rather then route back to it.  If you already have static routes made then perhaps this could be an issue with another Sophos feature, let me know.

    Thanks,
    Hugh

  • 0 in reply to hjherron6

    Thank you for the reply Hugh. I've added the routes you mentioned with no different results. It seems the firewall is blocking the outgoing VLAN traffic for some reason, which is likely what I am missing.

    Here is some more info, with one specific location settings:

    Sophos Firewall:  192.168.242.10

    Layer 3 Switch/Router (Gateway):  192.168.242.6

    Wireless VLAN 100 is 192.168.246.0

    Default Route:  ip route 0.0.0.0 0.0.0.0 192.168.242.10

    DHCP is sent out via Server 2012, ipconfig info is correct on a wireless client with a gateway of 192.168.246.254 (SVI).

    With these settings, I can ping the SVI, and the gateway (192.168.242.6), but not the Sophos (192.168.242.10). I can access internal resources. If I add a VLAN sub-interface of 192.168.246.1 to the Sophos with a VLAN tag of 100, I can ping that interface, the firewall and browse internet traffic. Any additional thoughts?

    I would be okay with leaving the settings this way, but I would like to move our native vlan 1 (192.168.242.0) to an alternate vlan (10). If traffic won't route properly from a VLAN, I can't make the needed changes.

    Thank you,

    Kevin

  • 0 in reply to Kevin Nelson

    Hi Kevin,

    Thanks for the details and it sounds to me like your configuration should be working so something else is at play here.

    I would suggest maybe doing a packet capture from the GUI using a BPF string of a client IP address in VLAN 100 and port 443 such as : host 192.168.246.X and port 443

    Once the capture is turned on with that configuration I would try accessing google.com or another https site and then turn on a display filter using the status of "Violation" and see if you are seeing any packets in that state.  If you are maybe take a screenshot and paste it on here?

    You also could do host 192.168.246.X and proto ICMP and ping the Sophos IP addreess as well as an outside address so you can compare to the other capture that was taken.

    Thank you,

    Hugh

  • 0 in reply to hjherron6

    Just a thought here that might help or not but just in case here it is.

    I have been running into trouble with cisco layer 3 edge routers behind my firewall, important traffic has to be excluded from the sophos stateful inspection to play nice with Cisco layer 3.  In my case the Cisco edge router has a incoming mpls connection that works with another edge router connected to the internet to forward traffic to a hsrp Cisco virtual router that the firewall uses as the gateway to Cisco acl allowed network vlans.

    Good luck!