Sophos XG Firewall on Voyager fibre issues

Forums › Voyager › Sophos XG Firewall on Voyager fibre issues

dannybhoi

3 posts

Wannabe Geek

#310461 21-Oct-2023 15:35

Hi people,

I have been trying to get a Sophos Firewall working at home with my Voyager fibre connection but I'm getting weird issues with some websites and services not working at all, and I think it's a bit slower than what it should be.

Usually I'm using a Mikrotik RB4011 as the router/gateway and that works great with the Voyager fibre, but just wanting to use Sophos for the UTM capabilities you get free with the home edition.

With I'm using the Sophos, the WAN interface of the firewall has the VLAN 10 interface on it with the PPPOE creds and there seems to be an issue with traffic getting misidentified or something as lots of invalid traffic showing in the logs.

I have just tested having the Sophos running as a gateway firewall behind the mikrotik routers network so that the WAN interface is not having to do the VLAN (because this is done on the mikrotik instead) and is just a DHCP client, and then everything works flawlessly from a computer that's connected on the LAN side of the sophos.

Does anyone who knows Voyager and maybe Sophos and have any idea on how to fix, or could try help me?

Im using the latest Sophos 19.5 MR3 installed on bare metal computer that has an intel i350-T4 card

VygrNetworkMonkey

180 posts

Master Geek

Trusted

Voyager

Lifetime subscriber

#3150824 21-Oct-2023 16:06

Heya @dannybhoi

I’m not overly familiar with Sophos, but the symptoms you are describing sound a lot like MTU/MSS issues.
It’s very common for CDN based sites, either directly, or for assets to fail loading when theses are set incorrectly.

Make sure you have your Sophos using the right MTU (1492), and the TCP-MSS set to 1452.
If you are using IPv6, lower the TCP-MSS to 1432 for the v6 traffic - as it has up to 20bytes additional overhead.

Voyager Internet - Network Monkey

dannybhoi

3 posts

Wannabe Geek

#3150834 21-Oct-2023 16:53

I have found other mentions of this online (particularly on Sophos forums) and it does sound like the issue I'm experiencing, but I can't set the MTU or MSS on a VLAN interface, or on the physical underlying interface either.

I can see that it's using the wrong MTU and MSS on the underlying interface.

I think it's possible to change from the underlying OS (linux based) but this would be lost on reboot.

In this below screenshot, you can see i am trying to tab complete the available console commands, and I'm unable to choose the physical interface that has the fibre vlan 10 on it, if that interface did not have the vlan on it then i would be able to choose it.

RunningMan

8913 posts

Uber Geek

#3150836 21-Oct-2023 17:06

Try the PPPoE interface, not the physical port or the VLAN.

dannybhoi

3 posts

Wannabe Geek

#3150851 21-Oct-2023 18:22

Well i found a workaround as i was having issues setting the MTU and MSS on Sophos ports.

in case anyone else finds this and needs help,

The configuration that doesn't work is setting your physical ethernet interface to be unbound (network zone = none), then adding a new VLAN on top which contains the PPPOE configuration. I was unable to set the MTU on either the vlan or physical interface.

You have to configure this another way; the WAN is set to WAN zone and then the use the IPv4 set as PPPOE (DSL) - which is weird.
Then you can set the PPPOE and VLAN and the MSS is already set at 1452 without having to change anything else for MTU or MSS