[Solved] Issues With XCP-NG and Virtual Firewall

Software & Web Applications
1

Background

I’m brand new to XCP-NG and I’m having a couple of issues running a virtual firewall (Sophos Firewall with a home license in this case) on top of a new XCP-NG server I just set up. The hardware I’m running on is the Qotom Q20332G9-S10. Ethernet configuration is as follows:

  • eth4 - LAN port that XCP-NG should pull an IP from, attaches to a Unifi switch
  • eth5 - WAN port, attaches to my ONT
  • eth6 - LAN port, attaches to my eero mesh WiFi
  • eth8 - XCP-NG management interface, attaches to the same switch as eth4
  • eth0-3 and eth7 - currently unused

I will list my two issues below. Any insight that can be given into either of them will be very much appreciated.

Issue No. 1:

I don’t know anything about Xen networking, but my understanding is that xebr5 is the bare-metal interface that eth5 gets mapped to. My issue is that both interfaces are pulling an IP from my ISP. eth5 pulling an IP isn’t concerning as this is the firewall’s WAN interface. xebr5 pulling an IP from my ISP is a problem, especially since the XCP-NG server is now accessible from the internet thanks to this issue.

Issue No. 2:

In order to even get the XCP-NG host running my virtual firewall to pull an IP address via DHCP, I had to attach a monitor and keyboard to use the dhclient command via the shell to manually refresh xebr8. This got the management interface to pull an IP, which showed up as expected on the host’s Status Display screen. The issue is that I cannot communicate with the host via this IP. I can’t ping to or from the host.

Note: I plan to set a static IP on the host at a later time. Don’t @ me.

I don’t think the issue is my switch config. While I plan to use VLANs later, I’m currently not using any. In addition, the other two XCP-NG hosts I set up are working fine. One of them is running XO, which I can log into and which has no issues communicating with the two hosts. The XO VM and the two XCP-NG hosts are all on the same LAN as the host I’m having issues with.

2

I have never tried Sophos in XCP-NG but think of each interface in XCP-NG as a switch that you can connect all the VM’s to. But these interfaces are also a switch that the XCP-NG host can use as well. For a WAN interface you would want to make sure each XCP-NG is set none as the mode for that interface so that the XCP-NG host does not try to get an IP address. Then use that interface in, in your case eth5, to attach to the WAN port and what ever internal name that Sophos assigns to it.

At the 7:25 mark I discuss XCP-NG Networking concepts

3

Gotcha. I’ve found how to do that via Xen Orchestra, but due to Issue No. 2, that isn’t possible right now because Xen Orchestra can’t communicate with the host. I’ve done a lot of googling and I haven’t yet found a way to do this via the CLI. Going to shift my focus to solving Issue No. 2 and then circle back once Xen Orchestra can communicate with the host.

4

After trying everything I rebooted the host and both issues resolved themselves. If I do an ip --brief address in the shell on the host, the only interface with an IP is xenbr8, which is my management interface. The host is completely reachable on my LAN and is now inside Xen Orchestra.