Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 14087 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with the communcation between default VLAN and custom VLANs

BMSAdmin

We recently got our SG230 and now I am stuck with the VLAN configuration. My problem is as follows:

We have a default VLAN1 and two additional custom VLANs 2 and 3.

Configuration from the switch side:

Port01: VLAN1 Untagged

Port02: VLAN2 Tagged, VLAN3 Tagged

Links:

Port01 --- Eth0

Port02 --- Eth4

Configuration on the Sophos side:

Eth0: Ethernet static

Eth4: Ethernet VLAN 2 static, Ethernet VLAN 3 static

Firewall rules:

VLAN1, VLAN2, VLAN3     - Web Sufing -     Internet IPv4

                              VLAN1             - any -           VLAN2, VLAN3

               VLAN2, VLAN3             - any -           VLAN1

               VLAN2, VLAN3             - any -           VLAN2, VLAN3

I can access the Internet from all VLANs. Communication between VLAN2 and VLAN3 works, as expected. The problem is the communication between VLAN1 and VLAN2/3. Being on VLAN2/3 I cannot access anything on VLAN 1 except with HTTP/S and vice versa. If I remove VLAN2/3 from "Web Protection/Web Filtering/Allowed Networks" then even HTTP/S is blocked.

So despite my firewall rules, only HTTP/S is allowed between VLAN1 and VLAN2/3 and vise versa, thanks to the Web Filtering.

Do I miss something? Any help is appreciated. 



This thread was automatically locked due to age.
  • 0

    Hi, and welcome to the UTM Community!

    VLAN 1 is reserved in WebAdmin for Wireless Security, and it is not the same as untagged.  'Type: Ethernet' is untagged.  All 'Type: Ethernet VLAN' interface definitions handle tagged traffic.

    Is your UTM happier when you change that tag from 1 to something else or you change the interface definition to 'Type: Ethernet'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, thanks.

    Is your UTM happier when you change that tag from 1 to something else or you change the interface definition to 'Type: Ethernet'?


    Do you mean that I could change VLAN1 to something else in my switch configuration or change it to something else for the Wireless Security in WebAdmin? Btw. is it possible to reserve some other VLAN for Wireless Security and if so, how?

    With my other VLANs I have a total of 5. If I change those to "Ethernet" then I need one physical interface for each, am I right?  That would be not enough interfaces for us, therefore the only option is to change VLAN1 to something else.

  • 0 in reply to BMSAdmin

    Wireless Security in WebAdmin uses VLAN 1 to communicate with Sophos Wireless Access Points, so you cannot use VLAN 1 for anything else..  The only definition you need to change is the Interface defined with VLAN 1 at present, the others are fine.  You can change the definition to "Ethernet" or change the VLAN tag to something other than 1.  Yes, in either case, you will need to change your switch configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Well if it is the only way I have to do it.

    Thanks for the advice.

Unfiltered HTML