Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 32204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After initial setup, no Internet access (includes diagram)

Peter Nelson

Hi all

 

I have set up Sophos XG Home on a supported Qotom mini PC. Per my diagram I can login to the XG, configure it but no LAN device can get access to the Internet. The Sophos Control Center has the Interface icon in red with an exclamation mark.

 

https://www.draw.io/#W78AE145D55D6C5E3!28456

 

It's in Bridge Mode, LAN Port 1 is connected to the modem/router and LAN Port 2 is connected to the LAN switch.

 

What have I missed?

   

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Sorry, link to diagram mightn't work so here it is...

  • 0 in reply to Peter Nelson

    Hi Peter,

    very simple, you don't have any rules allowing traffic out. Why do you have your wifi point on the outside of the XG, I know it is part of your modem/router?

  • 0 in reply to rfcat_vk

    Hi rfcat_vk

     

    Re the WiFi, wifi is disabled on the router

    Can you help me with the rule I need please, the one I have in there is not correct I assume?

  • 0 in reply to Peter Nelson

    Hi Peter,

    the rule could be any zone (source) any to any zone destination any -> allow all. What I can't see is your MASQ (NAT) rule.

    Next question is why are you using the modem as gateway rather than bridged mode and have the XG be the true gateway and only one NAT.

    Which device is providing your DHCP function?

  • 0 in reply to rfcat_vk

    rfcat_vk

     

    The modem/router is providing DHCP. Are you saying I should disable all routing functions from the device and use the XG to be DHCP, NAT etc etc?

  • 0 in reply to Peter Nelson

    Hi Peter,

    that would make debugging easier and filter creation simpler.

  • 0 in reply to Peter Nelson

    i have same config as you, here are my two rules (one for in and one for out).

    Also don't enabled MASQ as it can affect some of those layer 2 packets that are non routable, for example it broke some of the discovery i needed for my router control SW and IMO isn't needed in this scenario

     

    here is the summary of the bottom rule as an example, hope that helps.

    Summary

    All Inbound

    Allow

    Rule

    Accept any service going to "LAN" zone, when in "WAN" zone, and coming from any network, scan for malware then check with Sandstorm and log connections, then apply IPS policies

    Source & Schedule
    WAN

    Source Networks and Devices : Any
    During Scheduled Time : All the Time

    Destination & Services
    LAN

    Destination Networks : Any
    Services : Any

Reply
  • 0 in reply to Peter Nelson

    i have same config as you, here are my two rules (one for in and one for out).

    Also don't enabled MASQ as it can affect some of those layer 2 packets that are non routable, for example it broke some of the discovery i needed for my router control SW and IMO isn't needed in this scenario

     

    here is the summary of the bottom rule as an example, hope that helps.

    Summary

    All Inbound

    Allow

    Rule

    Accept any service going to "LAN" zone, when in "WAN" zone, and coming from any network, scan for malware then check with Sandstorm and log connections, then apply IPS policies

    Source & Schedule
    WAN

    Source Networks and Devices : Any
    During Scheduled Time : All the Time

    Destination & Services
    LAN

    Destination Networks : Any
    Services : Any

Children