This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up VLANs

 Good Morning, Afternoon, Evening, or Night

Is there a tutorial, which explains how to properly configure VLANs?

I wanted to seperate a Network in different VLANs, some where outbound traffic is allowed, others where it isn't.

My switches are 802.1Q capable and the VLANs are set up there. Internal traffic works where expected and is blocked between devices where it should be blocked. So internally it works.

But I'm not sure how I should configure the UTM.

I added Ethernet VLAN interfaces where I chose the internal NIC eth0 (not the external WAN (eth1)). They are shown in the dashboard with state DOWN and link UP. 

Under Interfaces & Routing | Interfaces all VLANs are marked as down and do not have an IP.

Under Network Services | DHCP I can't choose the VLAN interfaces, only internal. How can I assign IPs to them?

I'd like to have  a bunch of several VLANs with different firewall rules for each concerning the outbound traffic. Any help is highly appreciated. :) Thanks in advance!



This thread was automatically locked due to age.
  • Those are a lot of questions in one go... I'm not really sure where/what you have done so far but have you:

    Configured either a TRUNK port on you switch consisting of all VLANs needed and connected this interface to the UTM and also have this interface configured with multiple VLAN interfaces? You can create new VLAN interfaces on every physical NIC which you should do. If you have enough physical interfaces on the UTM, there's no real need to trunk VLANs, but instead you can use access ports and connect every access port to a separate UTM NIC (which in that scenario doesn't need VLANs).

    Every VLAN interface on the UTM should be setup with an IP-address either manually or dynamically. In the latter case you should have DHCP server somewhere in the LAN.

    If you don't want any inter VLAN traffic for some VLANs, then you could choose not to set a default gateway, otherwise you'll need to configure your default gateway which might be a L3-switch or the UTM (or both, but that would not be an ideal situation).

    Hope you have enough information with this, if not please ask your questions as specific as possible.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you very much for your reply!

    The VLANs are set up on the switch as well. The UTM is plugged into port number 1, which is a tagged member of every VLAN and has PVID 1. On the UTM I have created VLAN Ethernet Interfaces with the same numbering (VLAN2, VLAN3,...). The UTM is the only DHCP server in this (sub)network. Do I need several DHCP servers (on the UTM) - one for each VLAN, i.e. do I have to create several DHCP servers under Network Services | DHCP? But there I can only chose the interface internal, nothing else?!

    Inter VLAN traffic seems already well prohibited by layer 2 - at least I cannot access e.g. the printer, if I do not add my workstation to the same VLAN (make it a member).

  • If everything is set up correctly you should be able to configure additional DHCP scopes (1 for every subnet).

    Are you sure you have manually configured IP-addresses on the UTM for every VLAN subnet that you want it to create a DHCP server for?

    Also make sure to have MASQ rules for every subnet that needs to connect to the Internet and for subnets that need to interconnect, you must create firewall rules to allow traffic between the subnets.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • This is probably it! I assumed that the IPs would be associated with a VLAN ad-hoc. How can I specify IP ranges?

  • You can do so from the interfaces config: Interfaces & Routing -> Interfaces -> Edit interface and then deselect dynamic IP. This will allow you to set an IP-address and once that is set create DHCP servers for every VLAN.

    Make sure to make different subnets on each VLAN ie:

    VLAN 10: 172.16.10.1 / 255.255.255.0
    VLAN 20: 172.16.20.1 / 255.255.255.0

    and don't use VLAN 1 since it is reserved in the UTM for wireless.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Very well! I tried with the dynamic IP and this didn't work. But with manually assigned IPs I can creat DHCP-Servers for each VLAN and devices are getting IPs. Thank you very much for your help!

    The next question is now: how should masquerading and firewall rules look like?

    I tried the following:

    #1: I created a network group (called VLANs) with all the VLANs in it

    #2: NAT | Masquerading: Network: VLANS or Internal (Network), Interface: Internal, External and the other VLANs (one rule for each)

    #3: Network Protection | Firewall: Sources: Internal and VLANs, Services: any, Destinations: VLANs and Internal (Network), Action: Allow

    But I cannot access devices in other VLANs. I thought this would be the most open settings (for testing), though even this isn't working. Any suggestions? Thanks again in advance. :)

  • I think you need to create Masquerading rules one for each VLAN (that needs to access the internet). It might work with a network group, but if you make one rule for each network, you have more visibility and you will be able to have different subnets use different public IP-addresses (given that you have multiple IP-addresses from you provider).

    See my attachment on how they should look:

    You firewall rule should allow all interVLAN traffic between internal and the other VLANs, but did you check whether the newly created rule is actually switched using the On/Off switch? Otherwise you may need to look in the firewall log to see what might be going on. Also are you sure all clients in the different VLAN's point to the UTM as their default gateway (or have other means of knowing where to route to the other subnets)?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Perfect! Thank you very very much for your guidance! No it's working as expected! :D

    A little Guide for everyone with the same problem: How the setup VLANs or The brief VLAN Tutorial:

    #1: Interfaces & Routing | Interfaces:

    • New Interface for each VLAN you want to use
      • with your desired name;
      • Type: Ethernet VLAN;
      • IPv4 address: add manually an IP-address that is not within the range of any other network
      • IPv4 Netmask: /24 standard
    • do not turn it on yet

    #2: Network Services | DHCP

    • New DHCP Server...
      • Make one for each VLAN
      • adjust the range if needed
    • Can already be started

    #3: Network Protection | NAT

    • Specify here which kind of traffic is allowed at all, eventhough the specific firewall rules are needed, here you can enable inter VLAN traffic, e.g.
      • VLAN_20 -> External (WAN)
      • VLAN_20 -> VLAN_90

    #4: Network Protection | Firewall

    • Create firewall rules, e.g.
      • VLAN_20 - DNS -> Any
      • VLAN_20 - Web Surfing -> any (except you're using webfiltering, see post below)
      • Internal - Network Printing -> VLAN_90
    • Create a rule for each service a specific VLAN should be allowed to use online or
    • inter VLAN, i.e. a service provided by a server in another VLAN - communication between VLANs has to be allowed as needed

    I would say this is the minimal configuration for working VLANs. From here on many things can be done as Setting up different Web Filter Profiles, specific IPS settings, DNS-Servers for the VLANs and so on the further increase your security or complexity of your network.

  • One small note:

    If you use webfiltering then you will most likely not need (or even want) to create firewall rules allowing Web surfing, since that kinda defeats the purpose of the proxy...


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.