Sophos XG Firewall Windows DHCP Server not getting IP Addresses

I recently setup Sophos XG Firewall in my Home Lab and setup vlans, firewall rules, DHCP relays to point to my Windows DHCP Server, etc. The whole 9 yards. After I had everything working, I decided to add in the rest of my VLANS and create relays so they all worked without a hitch. After doing this, something that should not have effected other already working VLANs, nothing was getting DHCP addresses. Not even ones that was working.

I spent MANY hours trying to figure out why. I tried changing all of my firewall rules to any-any, etc. Nothing was working. After looing in the logs, I noticed this:

Firewallmessageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1.21" out_interface="" src_mac="68:b5:99:6f:b5:fe" src_ip="10.124.216.41" src_country="" dst_ip="10.124.219.254" dst_country="" protocol="UDP" src_port="67" dst_port="67" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I was getting a block by the firewall rule 0 on Appliance Access as Denied. But why? A – it shouldn’t be a firewall rule blocking it because I put in an Any-Any rule. I tried changing everything. But it came down to one.. simple.. thing.. Here is my setup so you can understand the issue.

The Setup

  • VLAN 110 – 192.168.0.0/24 – Networking equipment
    • Sophos XG Firewall – IP 192.168.0.5
  • VLAN 111 – 192.168.1.0/24 – Servers
    • Windows AD/DNS/DHCP Server – 192.168.1.10
  • VLAN 112 – 192.168.2.0/24 Clients (No IP address)
    • Laptop
    • Cellphone

In Sophos, Windows DHCP, I setup DHCP subnets for all three vlans. Then in Sophos, I setup a DHCP relay just the Clients VLAN.

It worked! I was getting IP addresses assigned to the Clients.

The Issue

Then I decided to setup VLANs for every subnet and made quite a few other changes to get it to that perfect lab I was hoping for. I looked up and noticed all my Chromecasts was saying they couldn’t get an IP. I checked and sure enough, it was no longer dishing out IP addresses.

The Resolution

After much trial and error, I found that the fact I put a DHCP relay on the subnet the DHCP server was on, it was causing all the DHCP requests to fail.

Someone may have a better understanding of it and can explain better in the comments, but what my assumption is, when the DHCP request goes out, it gets blasted to the entire vlan to find a DHCP server by blasting out to port 67/68 UDP in search of a DHCP server. The gateway at 192.168.2.1 forwards this to the 192.168.1.0/24 vlan and it receives the blast on that subnet for the response, and blasts that back out to the requesting vlan.

If you put in a DHCP relay on the same subet as the DHCP server, then when it tries to “blast” the response back, the gateway takes that requests and tries to re-blast it in the same subnet. This causes a malformed loop and causes the request to fail. Thus removing the DHCP relay on the VLAN the DHCP server is in should fix this.

Please let me know if you have a better understanding of the cause or if this helps you!

Change Default SSH Port Number

SSH Command line

By default, SSH runs on port 22, and most scripts attack that port by brute force to attempt to gain access to your server. One way to stop script kiddies from brute forcing your SSH server so often is by changing the default port that OpenSSH uses. You must remember this port number and change all your connections that use SSH to the new port number. Continue reading “Change Default SSH Port Number”

Turn Windows Firewall Off or On By Command Line Or Script

I have run into a few times when I needed to turn off or on the Windows Firewall via command line or script. It is actually very simple to do!

To Turn Off:
NetSh Advfirewall set allprofiles state off

To Turn On:
NetSh Advfirewall set allrprofiles state on

To check the status of Windows Firewall:
Netsh Advfirewall show allprofiles

You can replace “allprofiles” with public, domain, or private and you can manipulate just that one profile. I used this in creating a script to test the firewall settings of a remote server. That way if I messed up the config, it would turn itself back off after a minute and I was able to reconnect to it. You can view that script on my other post Testing Windows Firewall Settings Safely From Remote Machine.

Testing Windows Firewall Settings Safely From Remote Machine

A while back I got me a new crisp Windows Server. By default, the Firewall was turned off and of course I wanted to turn it on for security reasons. But what happens if I lose my connection to a server a few hundred miles away? How would I disable the firewall if I can’t connect to it anymore? I decided to write a script!

The function of the script is to enable the firewall for the public internet, wait 2 minutes, then disable it again. Here is my script:

@echo off
Netsh Advfirewall set public state on
timeout 120
Netsh Advfirewall set public state off

Save those lines as a batch file, then run it as Administrator. Keep in mind to use this at your own risk! It saved me, but never know about you! An explanation of the commands can be found on my other post Turn Windows Firewall Off or On By Command Line Or Script.

New Free SSL Certification Authority

Secutiry lock

I have been with my host for a couple years now. Their service use to be blazing fast but I have noticed over time they have began to slow down. Why am I still here? Because they offer free unlimited SSL certs. Yep – that’s the only reason.

I have come to find that there are many people at work, in the public, and other places constantly sniffing my internet traffic so I secure ALL my sites. However, a new dog is coming to play.  – the Internet Security Research Group (ISRG) is starting a free certificate authority known as Let’s Encrypt. With this new CA, they promise to be as secure as the big dogs, but offer automated scripts to secure your site and keep all certs up to date – automatically.

There has got to be a catch right? I mean where do they get their money from? They are getting backed by some of the world’s largest internet foundations such as Mozilla, Cisco, and Automattic, many others, and are accepting individual donations.

You can find their main homepage Here and they have created a community forum, which you can visit here. They are currently scheduled to release public sometime in the last quarter of 2015.

I am eagerly waiting – if you here of them opening up sooner let me know in the comment section below!

Links:

Kaspersky Realtime Cyber Threat Map Updated

Kaspersky Live Threat Cyber Map interface updated with new Demo Mode

Kaspersky has done it yet again – made the best IT department dashboard better. If you have ever seen Kaspersky’s live cyber threat map, then you know how great of a tool it is to use to impress people walking by your IT department. Oh the joy of watching an accounting VP come down and try to explain what it is to someone else! 🙂

With the new updated map, the interface looks better, cleaner, has cool smoke effects and has a few new features. One of them being the Demo Mode. With the demo mode, it will show you stats of random countries with boxes that appear like something you would see in a movie and the best part is the fly by.

While you are watching all the different lines jolt through the world, all of a sudden you seen the camera get sucked into one of the pipes that shows the transmission of viruses, and the camera follows it. When you hit the ground, you start flying by the landscape (usually in a valley between two mountains) looking at the pipes from the ground level. See the below images for screenshots of the new and updated cyber threat real-time map or try it for yourself below.

https://cybermap.kaspersky.com/

Did I mention the screen saver that they now offer?!?

Kaspersky Cyberthreat flying by ground
Kaspersky Cyberthreat flying by ground

Kaspersky Cyberthreat flying in pipes
Kaspersky Cyberthreat flying in pipes

Your own IPSEC VPN in about 3 minutes using Digital Ocean

I have been wanting to setup my own IPSEC VPN for a while now to have a little bit of encryption from my network to the internet.  I found a good hosting provider for the VPN because it is so cheap ($5.00 a month) – Digital Ocean, then I realized that they only charge by the hour as long as you destroy the VPS. The VPN took about 30 minutes to setup. After a few times, I realized that I could turn this into a quick script. So now I can setup a VPS with a secure VPN in about two minutes, destroy it when I am done and only get charged a few pennies for having it. Here is how I do it. Please keep in mind that this has no warranty – if it melts down your server, sorry – but it hasn’t melted mine down yet!

Continue reading “Your own IPSEC VPN in about 3 minutes using Digital Ocean”