UTM Setup multiple VLANS on the same interface

Is it possible to have two separate VLANS on the same interface and how would one run the configuration to achieve it?

 

  • Hi badrobot,

    yes it is possible to run run multiple VLANs on the same interface.

    Just create an ethernet vlan interface on the utm with the desired vlan tag and physical interface.

  • Hi  

    It is possible to set up multiple VLANs on a single interface. As suggested by  you just need to create one. If you want to refer to any KBAs, please check these Sophos UTM - How to define a network interface and check Ethernet VLAN type.

  • In reply to Jaydeep:

    Ok but do I also need to create NAT rules and Firewall rules as well, I read that somewhere else in here but I want to walk through each aspect since changes like this typically require downtime, most of the switches are setup so i just need to configure the firewall now.

  • In reply to Badrobot:

    Hi Badrobot,

    Yes, you should consider each networked subnet/interface on your UTM needing rules/nats and masquerades where needed.

    The UTM is a stateful firewall that is in default drop fallback so unless you allow from one network to another/network to internet it will be blocked.

    Emile

  • In reply to Badrobot:

    VLAN tags are used at Layer 2.  NAT and Firewall rules apply to Layer 3.  Consider #3.1 in Rulz (last updated 2019-04-17).

    Cheers - Bob

  • In reply to BAlfson:

    OK this all helps thanks everyone so much, my next issue is the VLAN 1.  Basically from what I have read is the UTM reserves VLAN 1 for wireless? Could be wrong but just in case......Is it possible to change this?  I ask because we are using D link switches and they reserve VLAN 1 for management, this appears as though it cannot be changed on the D-Links either so I am hoping you can alter this in someway on the UTM to use VLAN 1 for something else.

  • In reply to Jaydeep:

    Are there any KB's that also explain how to handle the NAT and Masquerade aspects when creating Vlans...  I would think it would be the same as any other but wanted to check.

  • In reply to Badrobot:

    I suspect that, if you aren't using Wireless Protection and have everything turned off in there that you might be able to use VLAN 1.  Please come back and tell us if that worked for you.

    As you assumed, a VLAN is just like any other LAN and in need of the same NAT/Masq rules.  Think of a VLAN tag as being like a television channel - the receiver "sees" all the channels, but only picks one at a time.  That's how a VLAN Interface works - it only looks for the tag you define in WebAdmin.

    Cheers - Bob

  • In reply to BAlfson:

    My only issue is would like to use wireless, I am wondering what would happen though if I did wireless on a separate interface, with no NAT rules to each other.  

  • In reply to Badrobot:

    Or what I should say is-

     

    Is the wireless tied to a vlan always?  or can you give it it's own interface and simply a subnet without the vlan, still freeing up vlan 1 for another interface?

  • In reply to Badrobot:

    Are you using Wireless Protection in the UTM?

    Cheers - Bob

  • In reply to BAlfson:

    Yes, thanks for helping with this.  Can you explain that to me also.  I am getting confused as to why Wireless would have to use a VLAN?  Does this have to do with isolation?  Or some aspect as to how the firewall separates what is being handled for wireless and what is not?  

  • In reply to Badrobot:

    I don't know the details of how VLAN 1 is used by Wireless Protection, just that it's used behind the scenes.  I think you will need to get a ticket open with Sophos Support to see if they know a workaround for your D-Link conflict.  I suspect that you will need to request escalation.  Please share what you learn.

    Cheers - Bob

  • In reply to BAlfson:

    Ok so I created my VLANS on each interface allowing for multiple VLANS per interface, i.e. eth0 has VLAN 2, 4 and 6.  Now I am not 100% on the masquerading rules, I would think I need on for any vlan to any uplink interface.  But with the VLAN to VLAN traffic do I need to make one for each direction?  i.e. VLAN 2 to 4 and VLAN 4 to 2?  Do I also need to make a NAT 1:1 rule for each as well?  and do these also need to go each direction?  Just a little confused on the order-

     

    I think it is 

     

    VLAN

    Masquerade 

    NAT 

    Firewall Rules

     

    But I am not 100% on each step I have done more work on the XG than SG so this is throwing me some, if anyone could example out how to do this for vlan traffic to work from one vlan to another is would be great.

  • In reply to Badrobot:

    First, read #2 in Rulz (last updated 2019-04-17) and look at the images at the bottom of that post.  Between subnets on any LAN or VLAN interfaces, you only need firewall rules, no NAT or masquerading.  You also might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob