Sophos XG Firewall Windows DHCP Server not getting IP Addresses

I recently setup Sophos XG Firewall in my Home Lab and setup vlans, firewall rules, DHCP relays to point to my Windows DHCP Server, etc. The whole 9 yards. After I had everything working, I decided to add in the rest of my VLANS and create relays so they all worked without a hitch. After doing this, something that should not have effected other already working VLANs, nothing was getting DHCP addresses. Not even ones that was working.

I spent MANY hours trying to figure out why. I tried changing all of my firewall rules to any-any, etc. Nothing was working. After looing in the logs, I noticed this:

Firewallmessageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1.21" out_interface="" src_mac="68:b5:99:6f:b5:fe" src_ip="10.124.216.41" src_country="" dst_ip="10.124.219.254" dst_country="" protocol="UDP" src_port="67" dst_port="67" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I was getting a block by the firewall rule 0 on Appliance Access as Denied. But why? A – it shouldn’t be a firewall rule blocking it because I put in an Any-Any rule. I tried changing everything. But it came down to one.. simple.. thing.. Here is my setup so you can understand the issue.

The Setup

  • VLAN 110 – 192.168.0.0/24 – Networking equipment
    • Sophos XG Firewall – IP 192.168.0.5
  • VLAN 111 – 192.168.1.0/24 – Servers
    • Windows AD/DNS/DHCP Server – 192.168.1.10
  • VLAN 112 – 192.168.2.0/24 Clients (No IP address)
    • Laptop
    • Cellphone

In Sophos, Windows DHCP, I setup DHCP subnets for all three vlans. Then in Sophos, I setup a DHCP relay just the Clients VLAN.

It worked! I was getting IP addresses assigned to the Clients.

The Issue

Then I decided to setup VLANs for every subnet and made quite a few other changes to get it to that perfect lab I was hoping for. I looked up and noticed all my Chromecasts was saying they couldn’t get an IP. I checked and sure enough, it was no longer dishing out IP addresses.

The Resolution

After much trial and error, I found that the fact I put a DHCP relay on the subnet the DHCP server was on, it was causing all the DHCP requests to fail.

Someone may have a better understanding of it and can explain better in the comments, but what my assumption is, when the DHCP request goes out, it gets blasted to the entire vlan to find a DHCP server by blasting out to port 67/68 UDP in search of a DHCP server. The gateway at 192.168.2.1 forwards this to the 192.168.1.0/24 vlan and it receives the blast on that subnet for the response, and blasts that back out to the requesting vlan.

If you put in a DHCP relay on the same subet as the DHCP server, then when it tries to “blast” the response back, the gateway takes that requests and tries to re-blast it in the same subnet. This causes a malformed loop and causes the request to fail. Thus removing the DHCP relay on the VLAN the DHCP server is in should fix this.

Please let me know if you have a better understanding of the cause or if this helps you!

Change Default SSH Port Number

SSH Command line

By default, SSH runs on port 22, and most scripts attack that port by brute force to attempt to gain access to your server. One way to stop script kiddies from brute forcing your SSH server so often is by changing the default port that OpenSSH uses. You must remember this port number and change all your connections that use SSH to the new port number. Continue reading “Change Default SSH Port Number”

Automatically backup pictures on Android With OneDrive

OneDrive Logo

The past few days I have been getting calls regarding people’s phones not working right. The number one worry – I need my pictures. The way a phone’s internal storage works, if the phone will not come on, there is not much of a way to recover your pictures if they are not on an SD Card. Which leaves the question of how do I keep from loosing my pictures if my phone quits working? The answer – cloud storage. Continue reading “Automatically backup pictures on Android With OneDrive”

Disable UAC Prompts

Back when Windows Vista came out, Microsoft introduced User Account Control (or UAC). UAC is Microsoft’s response to Ubuntu’s sudo command, which must be run to run a command as admin. It has since then had many iterations and updates, and despite all the security positives of having it turned on, some people choose to turn it off. If you are wondering how to turn it off, then follow the steps below. These steps will work for Window Vista, 7, 8, 8.1, and 10. Continue reading “Disable UAC Prompts”

Disable The Clutter Folder

Microsoft decided it would be a good idea to start moving some of your mail to a separate folder. Do you know how the announced it? They put an email in the clutter folder saying “Welcome To Clutter”. They put it in a folder that you never seen before? Yeah, who is going to see that? Here is how you disable it!

Continue reading “Disable The Clutter Folder”

Turn Windows Firewall Off or On By Command Line Or Script

I have run into a few times when I needed to turn off or on the Windows Firewall via command line or script. It is actually very simple to do!

To Turn Off:
NetSh Advfirewall set allprofiles state off

To Turn On:
NetSh Advfirewall set allrprofiles state on

To check the status of Windows Firewall:
Netsh Advfirewall show allprofiles

You can replace “allprofiles” with public, domain, or private and you can manipulate just that one profile. I used this in creating a script to test the firewall settings of a remote server. That way if I messed up the config, it would turn itself back off after a minute and I was able to reconnect to it. You can view that script on my other post Testing Windows Firewall Settings Safely From Remote Machine.

Testing Windows Firewall Settings Safely From Remote Machine

A while back I got me a new crisp Windows Server. By default, the Firewall was turned off and of course I wanted to turn it on for security reasons. But what happens if I lose my connection to a server a few hundred miles away? How would I disable the firewall if I can’t connect to it anymore? I decided to write a script!

The function of the script is to enable the firewall for the public internet, wait 2 minutes, then disable it again. Here is my script:

@echo off
Netsh Advfirewall set public state on
timeout 120
Netsh Advfirewall set public state off

Save those lines as a batch file, then run it as Administrator. Keep in mind to use this at your own risk! It saved me, but never know about you! An explanation of the commands can be found on my other post Turn Windows Firewall Off or On By Command Line Or Script.