Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 13052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help with bridge in a vm (esxi 6)

DillionPark

I have ESXi 6 with 2 physical NICs (eth 0 and 1) and  I have 3 vnics (external, bypass, internal). I have a firewall with eth0 binded to external for Internet access. Then the firewall has a vnic for internal traffic (bypass).  I then have sophos utm bridge mode connected to 2 vnics (bypass) inbound and (internal) binded eth1 for lan traffic.

modem ---(eth 0 / vnic external) on switch 0 ---- firewall ----- (vnic bypass) on switch 1-------- (vnic bypass) on switch 1 ---utm bridge---- (vnic internal) on switch 2

I am not able to pass traffic through the bridge.  When I have it set this way, I can access the management page in the sophos bridge.  When I switched the vnics in the esxi settings, I can access the page in the middle switch, but not from the lan side. I have tried to ping, tracert, firewall webpage, and dns resolve; nothing has worked to traverse the utm bridge.

Settings:

bridge status is up / up

the bridge has 192.168.0.2/24 (no gw ip)

firewall is set for anyip/any service/any ip

dhcp relay to 192.168.0.1 (no dhcp on utm)

ESXi has promiscuous mode (accept)

I have tried with and without a NAT masq

the log files for the firewall and http traffic do not indicate the desktop im using is sending traffic to the UTM.

BTW, I have reviewed the following links to no avail (and several others).

https://community.sophos.com/products/unified-threat-management/f/52/t/30313

https://community.sophos.com/products/unified-threat-management/f/53/t/34981



This thread was automatically locked due to age.
Parents
  • 0
    "the bridge has 192.168.0.2/24 (no gw ip)" - You need a default gateway.

    If the clients are getting DHCP from the router and the forgoing did not resolve your issue, try changing the default gateway assigned to the clients to be 192.168.0.2 (the UTM).

    Cheers - Bob
  • 0 in reply to BAlfson

    I have tried with and without a GW IP. No traffic is getting through. I added the DHCP relay, but IP's are not going to the endpoint as expected. I have also tried with 31.1 as the GW and now with out. As for placing 31.2 as the GW, tried and failed. Still nothing is passing through.

  • 0 in reply to DillionPark

    Is this basically what you're going for?

    Modem                                                                        LAN
        |                                                                                     |
    Eth0 (physical host interface)                           Eth1 (physical host interface)
         |                                                                                    |
    External (esx vswitch?)                                     Internal (esx vswitch?)
         |                                                                                     |
    Firewall (is this another VM?)                                 UTM (vm) 
                  |_______________       _______________|
                                                 |      |
                                       Bypass (esx vswitch?)

    If you connect the firewall VM to the Internal vswitch, are you able to pass traffic through the firewall? you mentioned the "firewall is set for anyip/any service/any ip", what about rules on the UTM, is it wide open as well?

  • 0 in reply to DavidPope
    Make sure you're allowing forged transmits and allowing MAC changes on the bypass vswitch as I believe the UTM will be transmitting frames with the MAC addresses of the LAN clients
  • 0 in reply to DavidPope

    I figured out my problem, the UTM does not detect a vnic, so traffic would never go through it.  What surprises me is that with all the other VM I have and software I  have tried it works the way im trying to configure it.  Even VMware docs state the 2 devices are on the same vswitch with the same port group, they bypass the nic and communicate directly as the nic is not required. Now I need to figure out how to get the device to work without a physical nic on the  middle vswitch.

    .

    **********UPDATE*************

    Check your settings!!!!!

    I can't believe I overlooked the little stuff.  Seems that I should have checked my VM configs as the network adapter was set to on when the VM starts but not connected.  I guess when I deleted the previous one, I did not even pay attention to the settings.

  • 0 in reply to DillionPark
    Dang, that's always a punch in the gut when you find you made little mistakes like that. I was actually about to ask if you'd checked that. I was curious if you meant the UTM VM didn't detect the interface at all or if it was just showing no link.

    Is it passing traffic and working as you expected now?
  • 0 in reply to DavidPope
    It is, everything is flowing smoothly. The UTM VM detected the settings but would not communicate between the firewall logically connection and the logical inbound to the UTM itself. Basically if we were to look at this physically, both connections for the firewall were good "connected", but the UTM was missing the link from the switch to port 0 on the UTM, port 1 from the UTM to the switch was connected and working.
Reply
  • 0 in reply to DavidPope
    It is, everything is flowing smoothly. The UTM VM detected the settings but would not communicate between the firewall logically connection and the logical inbound to the UTM itself. Basically if we were to look at this physically, both connections for the firewall were good "connected", but the UTM was missing the link from the switch to port 0 on the UTM, port 1 from the UTM to the switch was connected and working.
Children
No Data