Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 30 subscribers
  • Views 44562 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pfsense + Sophos XG in Bridge Mode (VM ESXi 6.5)

pdaemon

Hi,

I'm having problems getting Sophos XG up and running in Bridge Mode on VMware ESXi 6.5 in my home environment.

My current setup is:
Internet -> Modem (Bridge) -> Wan Interface (public IP) -> Pfsense -> LAN Interface (192.168.1.1) -> 16 Port Switch -> Devices (192.168.1.0/24).

This works nicely.

I would like to setup Sophos in Bridge Mode (Vmware), so I can do Web filtering etc in the following setup:
Internet -> Modem (Bridge) -> WAN Interface (public IP) Pfsense - LAN Interface (192.168.1.1) into WAN Interface Sophos XG (Bridge Mode) - LAN Interface -> 16 Port Switch -> Devices

The VMware box has Quad Port NIC card with 2 x vSwitches, one for Port 1 (LAN) and one for Port2 (WAN) with Promiscuous Mode enabled for both vSwitches.

Following this post:

https://community.sophos.com/products/xg-firewall/f/network-and-routing/76025/bridge-mode-deployment-not-working

Initial setup of the of the VM is fine (using sophos xg ISO) allowing me to access the Web Admin interface in order to continue setup and activation which works in gateway mode...

Continuing I go through the setup wizard and select Bridge Mode and setup the bridge between Port1 (LAN) and Port2 (WAN) and give it an IP (192.168.1.18)

I then remove the LAN interface cable from the pfsense box and and attach the WAN interface (Port2) to the Pfsense (LAN interface). 

I am able to get access to the Bridge IP address on 192.168.1.18, but am unable to ping the Gateway which is setup for the Bridge (192.168.1.1) - pfsense box?
I am unable to access the internet from any device on the LAN or resolve any internet hosts through the diagnostics through the admin GUI.
The status of the Bridge is showing as being red. Port1, Port2 & br0 are showing as being connected in the GUI..

I am using a cross-over cable between pfsense and vmware NIC (Port 2 - WAN)...outcome was no different to when I was using a straight through.

What am I doing wrong here? Do I need to do something on the pfsense box to make this work. I didn't think so as it is meant to be a bridge setup.
Please help.

Thanks!

Regards
pdaemon



This thread was automatically locked due to age.
Parents
  • 0

    Ji,

    why do you think you need two firewalls in tandem?

    You will need a 3rd nic on the XG to be able to access the management functions.

    What rules do you have in place?

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    I am using Pfsense as my firewall and just want to use Sophos XG for the Web filtering and reporting side of things..

    I have a LAN to WAN rule any-any rule in place on XG...this was done during the setup of the bridge-mode.
    I'll probably have to see if there is anything being blocked on the FW?

    I can post some screenshots a bit later on..

    I can access the Sophos Admin GUI via the IP address assigned to the bridged interface (192.168.1.18) or can see the console in VMware ESXi.

    Cheers pdaemon

  • 0 in reply to pdaemon

    Hi ,

    You may take a packet capture on the XG to check if the packets are processed by XG or not. 

    You may use a test ip e.g. 103.23.140.55

    In XG you may use the command to analyze the connection from your local PC to WAN gateway. 

    console>tcpdump 'host 103.23.140.55 and port 80

    Post the output. If you have received the packet to XG and not forwarded to WAN interface, check the firewall rules . If the packet is observed then you may need to check your adapters and the settings.

  • 0 in reply to Aditya Patel

    Hi Aditya,

    Thanks for the reply. 

    I have tried what you suggested, but I am unable to see any packet for the IP I'm using being captured on the XG console when I browse to that address on a computer on my LAN.

    203.173.50.151 - iinet.net.au

    SFVH_SO01_SFOS 16.05.6 MR-6# tcpdump 'host 203.173.50.151 and port 80'
    tcpdump: Starting Packet Dump
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

    I can ping all address on the LAN that are up...for example:

    SFVH_SO01_SFOS 16.05.6 MR-6# ping 192.168.1.150
    PING 192.168.1.150 (192.168.1.150): 56 data bytes
    64 bytes from 192.168.1.150: seq=0 ttl=64 time=7.584 ms
    64 bytes from 192.168.1.150: seq=1 ttl=64 time=3.923 ms

    But I am unable to ping the gateway (192.168.1.1):

    SFVH_SO01_SFOS 16.05.6 MR-6# ping 192.168.1.1
    PING 192.168.1.1 (192.168.1.1): 56 data bytes
    ^C
    --- 192.168.1.1 ping statistics ---
    4 packets transmitted, 0 packets received, 100% packet loss

    It is like the bridge is not passing the traffic through? I shouldn't need to change anything on my LAN side in order for this to work in bridge mode?

    I have attached some pics of config:

     

    If I remove the cross-over between the WAN interface vmNic2 and the pfsense LAN port (leaving vmNic1 LAN in - Port1) and plug pfsense straight into switch (as per original config)...it is working fine and sopho xg can ping etc, but isn't in bridge mode as it's just connected into the switch...

    Thanks for you help!

    Cheers pdaemon

  • 0 in reply to pdaemon

    Anymore ideas? Maybe it's a VMware setup issue.

    I'm considering wether to just install Sophos in GW mode on my physical Pfsense box...

  • 0 in reply to pdaemon

    Why do you need the crossover cable, most modern NICs can auto-negotiate?

    Can you ping and traceroute from the XG using the test tools?

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,


    I tried the cross-over to see if that would make any difference (which it didn't) as it was shown in bridge setup diagram in the setup wizard...also as this is a computer to computer connection (pfsense is j1900 mini pc +VMware is a intel i7)...

    I have switched back to the straight through CAT cable.

    From the XG I can ping/traceroute to all devices on the LAN (192.168.1.X) subnet, but it seems that no traffic is passing through the WAN interface (Port2) out through to pfSense. There are link lights on both sides.

    It woudn't be anything on the pfSense side right? The packets should just be getting passed through the bridge as if they were coming straight from the LAN into Pfsense?

    Thanks for all your help so far!

    Cheers pdaemon

  • 0 in reply to pdaemon

    Hi,

    two things.

    1/. you will need more than 2gb of ram, give it at least 4gb

    2/. change your rule (source) any zone -> any host -> (destination) any zone -> any host -> log

     

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    Thanks, I'll increase the RAM and implement the FW rule as you suggest and see what happens.

    I'll post the FW logs if I see anything interesting..

    I'll send an update later today...

    Cheers pdaemon

  • 0 in reply to pdaemon

    Make sure the memory is a fixed value.

    Ian

  • 0 in reply to rfcat_vk

    OK, will do.

    Thanks.

    Cheers pdaemon

Reply Children