In the past week, we've started noticing trouble related to a guest network that's been set up for the better part of a year. The first sign of trouble was that random hosts on our internal network began to receive addresses associated with the guest network.
The guest network is associated with eth4 (172.16.0.0/12) and the internal network with eth0 (10.12.12.0/24). Since DHCP for both networks is handled by the Sophos, I decided to take a closer look at the logs. What I'm noticing is that some DHCP messages will appear on both interfaces and that internal hosts receiving 172.16 addresses will show up twice in the DHCP lease table (a second entry for 10.12.12). I'm including a snippet of logs for reference. This behavior persists even after explicitly denying traffic between the two networks.
2014:12:29-00:09:00 gw01-2 dhcpd: DHCPINFORM from 10.12.12.124 via eth0
2014:12:29-00:09:00 gw01-2 dhcpd: DHCPACK to 10.12.12.124 (00:25:64:f7:0c:50) via eth0
2014:12:29-00:09:00 gw01-2 dhcpd: DHCPINFORM from 10.12.12.124 via eth4
2014:12:29-00:09:00 gw01-2 dhcpd: DHCPACK to 10.12.12.124 (00:25:64:f7:0c:50) via eth4
I'm scouring the network for any sign that the two segments have been bridged, but I'm coming up empty handed so far. As I eliminate possibilities, the Sophos is starting to look like a likely suspect. I'd welcome any wisdom or suggestions. My next step, tomorrow morning, will be a bit of wireshark analysis as I join my laptop back to the network.
Current firmware version is 9.305-4. When the problem first appeared, we had not yet upgraded to 9.3.
Thanks in advance.
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
