Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 20951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to access the Modem Interface in my configuration?

Paul Schmeling

Hello,

I've been using the XG Firewall for a few days now and it's great so far. 

There has been one issue I couldn't solve on my own, I hope you guys can help me with this:

 

I've got my network configuration like this:

Now all I want is to access the modems web interface (Port2, 192.168.0.2) from my network (Port1, 192.168.3.0)

Is there a simple NAT rule or something to achieve this? Thanks alot for your attention!



This thread was automatically locked due to age.
  • 0

    Paul,

    your modem does not know the network 192.168.3.0 so it will not forward back the traffic. You need a static route on Modem and a LAN to WAN rule on your XG.

    Regards

  • 0 in reply to lferrara

    Hello lferrara,

    thank you for your help!

    I had hoped that the Sophos XG Firewall would do the address translation for me because I can successfully ping the modem through Sophos' own Ping Tool already, Port2 is in the same network after all. Both Port1 and Port2 are in the LAN zone as well.

    Anyways, I have added a static route in the modem configuration, what do I have to set in my Firewall? Thank you so far!

  • 0 in reply to Paul Schmeling

    Paul,

    use the tcpdump to capture the traffic from XG cli.

    tcpdump llh "host x.x.x.x and port yy"

    Change x.x.x.x with your router IP and yy with the port used to manage it (80, 443, etc...)

    Let us know.

    Regards

  • +1

    Hi Paul,

    Show me the interface configurations. Here, the modem and LAN switch are directly connected devices for the XG hence, you don't need any specific configurations. I think you just need a LAN to WAN Fw-rule with MASQ, as the LAN requests will be NATed with the out interface i.e. 192.168.0.1 and the XG will add the required entry in the routing table.

    Thanks

  • 0 in reply to sachingurung

    Hello sachingurung,

    excuse me for getting back at you this late. Busy day.

     

    I made a screenshot of my interface configurations:

    Do I really need a LAN-To-WAN-Rule? Only the VLAN Port 2.7 is configured to be in the WAN Zone.

    Thank you so much for your assistance

  • 0 in reply to Paul Schmeling

    Okay I took another shot at this, here is what I came up with:

    I created a firewall rule on top of my general Internet rule:

     

    with the following settings:

     

    Where the Destination Network is the IP-Address of my Modem (192.168.0.2) and the Primary Gateway is called 'Modemnetz':

    I added both LAN and WAN as destination zones because it somehow doesn't work if either is missing. (If I remove LAN, the Outbound Address 'MASQ: Interface Default IP' is missing from selection)

    Now I can access the modem web interface just fine and everything seems to work. 

    Since I am not very confident, i have to ask:

    Is my configuration like this problematic security-wise or am I set with it? Do I have to change anything or can I simplify my configuration?

    Thanks alot so far!

  • +1 in reply to Paul Schmeling

    Paul,

    you can raise up the security level by defining a source IP where you can access the modem from. IP and Mac-Address should be used but XG does not manage MAC-Addresses correctly at the moment on firewall rule.

    Regards