Finally received a gen3 XG-135 but I can't get it to work properly -- it looks like the WAN and LAN ports are bridged and my network devices request public IPs from ISP when I plug it in.
I wonder if there's a switch which needs to be configured?
PS. Just like on rev1 and rev2 Sophos devices I have ports eth0 and eth2-7 listed for LAN and port eth1 for WAN (as per marking on the case). How can I test which port in OpenWrt corresponds to which physical port on device? Maybe the numbering is messed up?
I haven't worked with this specific model and revision, so let me first hazard a guess and then propose a course of action independent from that guess.
(The paragraphs below have been edited; the original version incorrectly used port labeling from SG 125 Rev 2)
The guess: Right now, the WAN port is most likely the one that is labeled 6 on the device (the second port in the second group of four ports). Here's what I think is happening here. There are two four-port NICs. When OpenWrt first starts, it finds the second (from the standpoint of the stock firmware) NIC first and enumerates its ports as eth0-eth3 (on device, those are labeled 5 through 8, so port 5 becomes eth0, port 6 becomes eth1, and so on). Then it finds the first NIC and enumerates its ports as eth4-eth7 (on device, those are labeled 1 through 4).
The course of action (basically, what @frollic said, but in more words): With a console connection active (or with a monitor connected to the SG 135's video output), connect the port labeled 6 on the SG 135 to an upstream device. Watch the output on the console; there will be messages telling you that the port state has changed, including the name of the port. If my guess is correct, those messages will be about the eth1 port. If not, keep trying other ports until you find the one that OpenWrt thinks is eth1.
