Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 41 replies
  • Subscribers 28 subscribers
  • Views 106588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Traffic/Rules

MichaelCreamer

I am now having an issue with my firewall rules.  Traffic does not seem to be passing through them.  I also don't see any sessions.  I have it set up in gateway mode, and port 2 directly connected to my NetGear Router.  I see the gateway is up and I can ping out.  Little help please

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Michael,

    Check #1.1 in my troubleshooting guide and take a packet capture on the Source IP address. You can see which FW-rule ID forwards the traffic. If you are able to ping but the traffic is not accounted on the fw-rule then you have a different issue.

    Thanks

  • 0 in reply to sachingurung

    Since it appear my problem to be  Asymmetric routing i added the bypass rule.  its unusual because I also did a show packet dump and the system shows traffic out 172.16.16.23 to 172.16.16.9 (macbook Lan) on 550805 with ACK.  The reason i say strange s because I set DHCP as 172.16.16.50-150 and I am seeing 6 DHCP addresses, but still no traffic through the firewall, yet I can do a trace route and it shows me that traffic is going out my 192.168.1.1 gateway. 

  • 0 in reply to MichaelCreamer

    Michael,

    since you are using crossover cable and connecting both LAN and WAN port to the same router, can you upload a network diagram with all ip and connection made?

    I think you are connecting cables in the wrong order.

  • 0 in reply to MichaelCreamer

    As i mentioned earlier does it work if you connect a device to the XG LAN port directly??

    Also did you swap the crossover cables with straights as i suggested last night??  Not that it matters too much as nowadays modern network devices should auto sense and configure accordingly but you don't need crossovers in this situation ie Gateway mode.

    JK

  • 0 in reply to lferrara

    ok, so on the nether everything is 192.168.1.0   I have 20 Devices connected.   On the Sophos  the Wan port is confined as 192.168.1.252/255.255.255.0/192.168.1.1  on the lan port its 172.16.16.1 /255.255.255.0/192.168.1.1.  I show the gateway is up and that I can get out from the 172.x.x.0, but the 172 does not see the 192 network.  The firewall Rule shows no traffic passing on the wan or the lan. 

  • 0 in reply to john_kenny

    I missed the directly to the Lan port.  I will do that when i get back.  I switch out the cables to straight and that made no difference. 

  • 0 in reply to MichaelCreamer

    Thanks for the diagram.

    You have 2 options:

    • bridge mode: so the lan cable coming from netgear L2 switch goes to XG LAN port and the netgear r7000 192.168.1.1 goes to XG WAN port.
    • routing mode: same connection as bridge, but you need to change devices IP behind XG to something else not used. Wi-fi however will work using Netgear router. So you can buy a Sophos AP and remove the Netgear Router at all and having XG as your router.

    This connection will not simply work.

  • 0 in reply to lferrara

    I will Switch back to Bridge mode, but explain to me this, when I do, do I use both Network cables?  Or am I just using one, and which would that be?

  • 0 in reply to MichaelCreamer

    you still use both in bridge mode, cross over from XG WAN to router LAN port, straight for XG LAN to router LAN port.

    Go through the wizard again to setup the bridge if your changing deployment modes, you bridge ports 1 & 2 on XG then for the Bridging pair IP address give it an address on the subnet used by your router in this case try 192.168.1.200 then SM 255.255.255.0 the bridging pair gateway will be 192.168.1.1.

    Then go through the rest of the wizard.

    If you did this right XG will be accessible on 192.168.1.200 and the devices on your lan should get IPs from the routers DHCP.

    JK

  • 0 in reply to john_kenny

    Ok, I have the same result.  I have switched to bridge mode, 

    Lan Port 1 192.168.1.200  Standard Ethernet cable

    Wan Port 2 192.168.1.1 Gateway Cross Over cable.

     

    When I have both Cables in, I ping only the gateway, I have no Internet, and can not reach the lan

    When I have the wan cable in, I can ping the gateway, and the internet, but not the lan

    When I Have the Lan Cable in, I can ping all three, but there is not traffic through the firewall

    Also note, this is the traffic that passed, prior to me pulling the lan cable. 

    There is nothing in the firewall log, didn't turn it, on. Going to turn it on, let the wan run for a while to build the log. Then plug LAN back in. 

  • 0 in reply to MichaelCreamer

    Those ips is 192.168.1.200 the bridged pair IP yeah and then the 192.168.1.1 is its DG??

    If you setup the bridge using the wizard the 2 NICs on XG will be bridged so it will have 1 IP for the bridge, also with it setup this way whats happens when you connect a device to the LAN port of XG directly?

    JK

  • 0 in reply to john_kenny

    The default firewall now try turning off the IP rewriting,

    JK

Reply Children
  • 0 in reply to john_kenny

    Ok, So I followed the wizard, and so how do I resolve this. I did the wizard, follow the cabling, etc...

  • 0 in reply to MichaelCreamer

    So if you connect a device into the LAN port of XG and use DHCP on the device what address does it get??

    also what does tracert give u from that too??

    Can you still access the Webui of the netgear through sophos??  

    Also is your XG device SW install or VM or HW??

    Also have you changed any over settings yet? like device access, ips etc?  Id be inclined to do a reinstall or factory reset it.

    from what your saying it sounds right so should be working.

    JK