Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 5833 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WIFI and LAN route with 2 X SG210 UTMs.

IT TeamWDC

Hi

I have 2 physical locations each with a SG210 UTM 9 and internet connection (Location A and B). The 2 sites have a wireless bridge connecting the internal LAN. Location B has a WIFI network on a different subnet(DHCP via UTM). The WIFI network is setup in the wireless protection area over a Sophos AP100C.

I want the devices on the WIFI network to be able to connect to the internet via location B gateway/WAN and also route to the internal LAN if accessing internal services etc.
All of the internal servers point to locations A gateway/WAN.

What works: Wireless devices can connect to the internet.
What does not work: Wireless devices cannot reach the internal LAN. (No Ping, Traceroute or DNS)

Wireshark reveals packets are making it to the internal LAN. But my guess is that because the server’s gateway is not location B they are getting lost.
I’m thinking a static route on Location A firewall.

Any Ideas?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Can you perhaps make a simple drawing of where the wireless users are and where exactly the services you need to reach. I'm a little lost in reading and don't really get whether it's location A or B wireless where its failing now.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

     

    The WLAN gateway is set to location B gateway but uses services on the internal LAN as well.

    From a device connected to the WLAN (Location B) I can get to the internet but nothing on the internal LAN.

    Devices connected to WIFI need all normal LAN access such as DNS, file shares,email, web http/https etc etc

    Thanks!

  • 0 in reply to IT TeamWDC

    So WLAN from location B needs to access Internal LAN on Location B (and/or A)?

    For internal LAN access from WLAN at B to Internal at B you need to add firewall rules to allow the traffic. This is needed in SG210 from location B.

    If you also need to access Internal LAN A you will also need to make the same firewall rule in SG210 from location A, even though it is bridged you will also need to add a firewall rule Internal -> Internal -> Allow since traffic is going through the firewall and therefore needs a firewall accept.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi

    I have the following firewall rules.

    Location A

    • internal (Network) -> Any -> wlan(Network) Accept
    • wlan(Network) -> Any -> internal (Network) Accept

    Location B

    • internal (Network) -> Any -> wlan(Network) Accept
    • wlan(Network) -> Any -> internal (Network) Accept

     

    This seems to do nothing. I did try a masquerading Rule in location B wlan -> internal, which allowed access to DNS and file share servers on the internal (Network)

    But why should I need this, shouldn't it just route between networks?

    Thanks again.

     

  • 0 in reply to IT TeamWDC

    You will also need Internal (Network) -> Any -> Internal (Network) on both sites like I explained. Even though it's a bridge, it needs to have allow permissions otherwise the traffic is not allowed.

    Then you wouldn't need the NAT rule.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi,

     

    Yep sure, I probably didn't explain that I have the rules above combined in one. Is this not effectively the same?

    Thanks for your help!

     

    *Red marked out is the WLAN location B.

  • 0 in reply to IT TeamWDC

    and you have internal -> Internal -> Allow on both Sophos devices?

    That's a little strange, since it should then normally work. Maybe someone else has a suggestion, otherwise you could make a support case about this.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0 in reply to IT TeamWDC

    and you have internal -> Internal -> Allow on both Sophos devices?

    That's a little strange, since it should then normally work. Maybe someone else has a suggestion, otherwise you could make a support case about this.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML