Nebula NCC blocked by firewall
All Replies
-
Hi @GiuseppeR ,
When that DHCP Server Guard was enabled (green switch) it was impossible to get an IP from Sophos firewall.
From your description, we understand your sequence of events was as follows:
- The Switch connected to the Fritzbox router was able to get an IP address and connect to Nebula
- The DHCP Server Guard feature was enabled
- The Switch was unplugged from the Fritzbox router and connected to the Sophos firewall
- The Switch was unable to get an IP from the Sophos firewall
- The DHCP Server Guard feature was disabled
- The Switch was then able to get an IP from the Sophos firewall
This behavior aligns with the DHCP Server Guard feature specification we mentioned earlier. In summary, the initial DHCP server (Fritzbox router) assigned an IP to your switch before it connected to the Sophos firewall, which prevented the switch from obtaining an IP from the Sophos firewall while DHCP Server Guard was enabled.
Now the switch gets the IP in DHCP, but it has blocked ports:
The Cloud Management screen indicates that TCP ports 4335 and 6667 are blocked.
To verify this, connect your PC directly to the Sophos firewall and test connectivity to TCP ports 4335 and 6667. This will confirm whether these ports are blocked in your network.
0 -
Hello @Zyxel_Judy
please let me me update the numbered list:
- The Switch connected to Zyxel lab inside my Company and it was able to get the IP with DHCP Guard active
- The Switch unplugged and connected to a mobile router 5G on the table of the client organization to check it before mounting inside the rack, anyway the switch was able to change its IP with DHCP Guard active
- The Switch was connected to Sophos with DHCP Guard active and it was unreachable, neither it had any IP (0.0.0.0 inside Sophos table)
- The Switch was working onsite as a switch (LAN, VLANs) but with zero Nebula/onpremise monitoring/management
- The Switch connected to the Fritzbox router was able to get an IP address and connect to Nebula with still having DHCP Guard active
- The DHCP Server Guard feature was disabled via Nebula because I wanted to test its compatibility with Sophos
- The Switch was unplugged from the Fritzbox router and connected to the Sophos firewall
- The Switch was able to get a dynamic IP from the Sophos firewall
- The Switch was then able to be managed onpremise and then unlocked right ports to link to Nebula
Considering this behaviour I think that something is not compatible between DHCP Guard and Sophos
0 -
With DHCP Guard you need to set a port where DHCP is Trusted
0 -
Never used it:
Neither I see where to tell Nebula that DHCP is coming ONLY on port 20 out of 48 to be used for uplink and DHCP server
0 -
Hi @GiuseppeR ,
Based on our lab testing, there are two ways to let your Fritzbox (or any routers) to obtain an IP address when the DHCP Server Guard feature is enabled on Nebula and it's not the first DHCP server connected to your switch:
- The DHCP server configuration of your Fritzbox router is identical to that of the mobile router. With the same subnet of two DHCP server, the switch can get the IP when connect to the second router.
- The network to be without any DHCP server for over 5 minutes. The DHCP Server Guard feature will time out after this period.
We believe that if the Sophos DHCP server configuration matches the mobile router's configuration, or if you wait more than 5 minutes between disconnecting the switch from the initial router and connecting it to Sophos, the switch should successfully obtain an IP address even with DHCP Server Guard enabled.
0 -
Hello @Zyxel_Judy
I had not tried to use the same subnet on mobile router (the one put on the table of the client, before installing the switch inside rack) matching the one on the Sophos, so I don't know if that is working.
Anyway active DHCP Guard had no problems going through my lab, the mobile router and the Fritzbox: all them had different subnets and the switch went on Nebula in short time.
I think it's something related to Sophos config, but I have no password to check it.
To give you more details as possible I can tell you that from the time when I switched off the switch to the end of its installation inside rack, including re-cabling the patch panel above it, I think that 30-40 minutes were gone.
It could be useful to perform some tests inside client's network?
I can plug in a PC to execute network tests if you need infos about Sophos config, I have free ports where to plug that PC:
As you can see something inside that Sophos config is disturbing smooth operations on that switch:
I'm at your disposal, best regards
0
Zyxel Employee
Master Member
Guru Member
Categories
- All Categories
- 426 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 345 USG FLEX H Series
- 288 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 404 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight
