Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 9224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge mode ARP replies not received

Kevin Rice

I'm trying to set up SFOS 17.03 MR3 as a bridge behind another device purely for the purpose of utilizing its web filtering, app control, etc. However, I'm unable to ping from the XG to the default gateway of the upstream device. It doesn't look like the XG instance is seeing the arp-replies back from the upstream box. I do see the arp-replies being sent from the upstream box. I don't believe they're being blocked from the source. I do have the two firewall rules to allow for traffic between the LAN and WAN zones. However, it's non-masqed and the bridge interface doesn't have routing enabled. Any ideas as to why the ARP replies aren't being seen? Would that be why ping wouldn't work?



This thread was automatically locked due to age.
Parents
  • 0

    Kevin,

    did you follow this kb?

    https://community.sophos.com/kb/en-us/123098

    Have a look at the logs to make sure no traffic is blocked. Create a lan to lan firewall rule where everything is enabled. Also enable Rouing checkbox on the bridge if traffic is layer 3.

    Regards

  • 0 in reply to lferrara

    I added a LAN to LAN rule and enabled routing on the bridge-pair. However, the gateway interface still shows as in the red. The other two firewall rules in place allow for all WAN to LAN traffic and all LAN to WAN traffic. It doesn't appear to matter whether or not the LAN to WAN rule is set to masquerade traffic or whether or not the WAN to LAN rule has a gateway set either. Any other ideas as to what else might need to be changed?

  • 0 in reply to Kevin Rice

    Kevin, check XG log viewer and make sure to enable ping on Administration > Device Access.

    Regards

  • 0 in reply to lferrara

    The log viewer doesn't really reflect anything that stands out in any of the logs. PING / PING6 is already enabled for the WAN zone. This is all being bench tested in VirtualBox. I'm going to try breaking the bridge to get the DHCP range for the NAT interface, rebuild the bridge and assign it a static IP in the VirtualBox NAT DHCP range to see if its the other Vm appliance that might be interfering with the ping. Although, I can sit another client OS directly behind the other appliance and it works like a champ.

Reply
  • 0 in reply to lferrara

    The log viewer doesn't really reflect anything that stands out in any of the logs. PING / PING6 is already enabled for the WAN zone. This is all being bench tested in VirtualBox. I'm going to try breaking the bridge to get the DHCP range for the NAT interface, rebuild the bridge and assign it a static IP in the VirtualBox NAT DHCP range to see if its the other Vm appliance that might be interfering with the ping. Although, I can sit another client OS directly behind the other appliance and it works like a champ.

Children