Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 24576 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lan to Lan rule

DavidMansfield8

Hi,

I am trying to set a rule for a old printer on our LAN that talks to software on users computers but i am having no luck.

My other rules all work, but they are generally LAN > WAN or vice versa, this is my first one where the log is showing LAN address for source and destination.

I have tried making the rule very open as using ANY for Source / destination etc and still no luck.

The Source IP is always the printer on 192.168.10.231 and the destination can change.

The source port in the log is always 515 and the destination appears to vary between 54021 - 55022

If anyone can point out where i am being an idiot that would be great.

ignore the description on the rule..



This thread was automatically locked due to age.
  • 0

    Just to clarify, we have no VLAN etc setup, and our LAN is all connected to the SophosXG on port1

  • 0 in reply to DavidMansfield8

    I see nobody else explained why LAN to LAN policy traffic doesn't do anything, or ever will.  I will try to explain this as simply as possible.

     

    LAN to LAN to me says that you are trying to govern traffic going through the same subnet with a router, this is a problem because the fact that if the other device is on the same LAN/subnet, then it would use the switch and MAC address to directly communicate with the device.  If you can imagine, this means the Sophos router is not the destination of the traffic, and therefore it never has any ability to manipulate the traffic.

     

    An example of what would work, is let's say we had two networks, WLAN 192.168.2.0/24 and LAN 192.168.1.0/24.  The same policy but instead going LAN to WLAN, would work because of the fact that communication needs to go through the router to arrive at the destination.  If there is a specific reason you want to use the Sophos router to govern traffic between specific devices, they must be on two different networks.  This is how routers are fundamentally designed, I hope this helps.

  • 0 in reply to Ashok Sethi

    I found there is one situation where a LAN to LAN rule is necessary, when you create a bridge interface.  By default, members of a bridge interface will not be allowed to communicate with other devices on a different port, even if they are on the same subnet.  Firewall policies are required for LAN to LAN, which I would call a layer 3 bridge.  This is different from a normal bridge which is also known as a switch.  It's misleading to require firewall rules just to allow devices on a "bridge" to communicate.

  • 0 in reply to DavidMansfield8

    Hi David,

    i do not fully understand your Setup. Please add some detail.

    your log shows two hosts

    192.168.10.231
    192.168.8.91

    do they share the same Net? whats your Netmask.

    i Think you have routing Issues as the log states that there is "invalid Traffic" (source interface but no destination interface)

    Please share a L3 Network diagram of your setup.

    Yours Lukas

     

  • 0 in reply to lna

    What is the subnet mask you are using for your LAN?  255.255.252.0?