This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 and layer 3 switch, what's the best way of doing it

Hi everyone, i've been using Sophos UTM 9 and my L3 switch (dlink dgs 1510)  that i only bought for connecting my workstation to my nas via 10Gbit SFP+.  Everything is working fine as my setup is very straight forward:

Sophos acts as a gateway, handles the dhcp of the network and gives the network internet access via the ISP modem

The Dlink switch didn't do any of what a L2 or L3 switches are made for as it was only used as a switch connecting all the devices of my network.

As I'm about to move in to a new house and as i wil be impementing a new server, video surveillance and ip phones to the network I decided to dig deeper and did some research.

 

Here is what I think my new setup will be like_

VLAN 1 Freenas, Workstations, Home wifi and so on

VLAN 10 Guest WIFI

VLAN 20 Video surveillance

VLAN 99 MGT

VLAN 150 ip phone

 

Sophos ---> Gateway and Firewall of the networ-->ISP modem-->Internet

Dlink switch ---> L3 Switch will handle VLANS  and the routing in case i wanted some vlans to communicate with each other

 

Now is this a good way of doing things?

Do I have to setup a trunk between the router and the switch?

Does the sophos have to be the gateway or it can just be a firewall and provide me VPN etc?

 

Thanks a lot for helping figureing it out



This thread was automatically locked due to age.
  • Firstly, try and keep it simple. Forget about the L3 on the switch. Stick with L2 and let the UTM take care of the L3.

    You will need a trunk from the UTM to the switch which will carry all of your vlans. You then connect your clients individually to the desired vlans.

    And good practice is..... keep everything off vlan 1 which is generally where management traffic sits eg CDP, ARP etc.

    Generally, each vlan will need a router to break out which in your case would be the UTM with multiple interfaces supplying dhcp, dns etc.

    That's it, in it's simplest form.....

  • Hey Andrea.

    Stick with Louis suggestion and keep things simple. Sophos UTM in front of every VLAN with a VLAN interface and subnet to each network. UTM will create the routes between VLANs automatically as long as you have an interface on each VLAN, but will block all traffic by default. That way you can control what will be accessible between VLANs using firewall rules to explicitly allow ports/services/protocols between networks or specific IPs. 

    Bear in mind that the speed of the communication between VLANs would depend on your UTM routing capacity, though. If you need some super fast communication (like that 10Gb NAS you mentioned) between VLANs, then using your switch's L3 capabilities might be a better idea.

    Regards,

    Giovani

  • Thanks a lot for the advice, i might actually go for that route.

    Im going to Disable DHCP on the switch create all the VLANS on both the switch and the switch and the sophos, then create a trunk between them and i should be good to go right?

    Something like that

    VLAN 1 mgt traffic

    VLAN 10 most the clients

    VLAN 20 video surveillance

    VLAN 30 wifi

    VLAN 99 mgt

    VLAN 150 IPPHONES

     

    then i will have to create interfaces on the sophos for each vlan ex:

    192.168.1.1 255.255.255.0

    192.168.10.1 255.255.255.0

    192.168.20.1 255.255.255.0

    192.168.30.1 255.255.255.0

    192.168.99.1 255.255.255.0

    192.168.150.1 255.255.255.0

    Create the VLANS on the switch and assign ports as access mode

    Then how can i make the sophos only accessible from the 192.168.99.1 ip address and not from all the vlans?
    Also, could i make 1 or 2 Ip addresses access all the vlans without having the VLANS communicating? If so how routing? firewall? 

     

    Many thanks for your help and your time!

  • giomoda said:

    Hey Andrea.

    Stick with Louis suggestion and keep things simple. Sophos UTM in front of every VLAN with a VLAN interface and subnet to each network. UTM will create the routes between VLANs automatically as long as you have an interface on each VLAN, but will block all traffic by default. That way you can control what will be accessible between VLANs using firewall rules to explicitly allow ports/services/protocols between networks or specific IPs. 

    Bear in mind that the speed of the communication between VLANs would depend on your UTM routing capacity, though. If you need some super fast communication (like that 10Gb NAS you mentioned) between VLANs, then using your switch's L3 capabilities might be a better idea.

    Regards,

    Giovani

     

    Hi, will this actually affect transfer speed? I mean if both the nas and the workstation are connected to the switch via 10gbit but the Sophos which is doing the routing is connected to the switch via 1gbit ethernet will that create a 1gbit bottleneck on the bandwith between ports or is it just something you don't really notice on everyday use?

    Thank you very much

  • If the workstation and NAS are on the same VLAN, UTM will not touch this, as this would be a layer 2 communication and would never traverse UTM. But if a device from another VLAN accesses your NAS, then the speed will be the routing speed from the UTM which would be, in the best case scenario, the speed from the UTM's network interface. It's just a heads up in case you are thinking of accessing your NAS from a device on another VLAN.

    As for your previous question:

    "Then how can i make the sophos only accessible from the 192.168.99.1 ip address and not from all the vlans?"

    Do you mean management? If so, you can achieve that by limiting webadmin management at Management > Webadmin Settings > Gerenal >Allowed Networks. Create a network object with type host and IP 192.168.99.1 there and remove "Any". Just be careful to not lock yourself out by making sure you are already accessing UTM through the management VLAN and IP. =)

    In case you enabled shell access, do the same at Management > System settings > Shell access > Allowed Networks


    "Also, could i make 1 or 2 Ip addresses access all the vlans without having the VLANS communicating? If so how routing? firewall? "

    As long as you have an UTM interface on each VLAN, UTM will automatically create routing between VLANs, but will allow nothing unless your create a firewall rules allowing traffic. So, for example, under Network Protection > Firewall you could create a rule:

     

    Sources: IP1, IP2

    Services: Any

    Destination: Interface Networks Objects for VLAN 1, 10, 20, 30, 99, 150

    Action: Allow

     

    That would allow IP1 and IP2 to access every device on other VLAN subnets. Since UTM is a stateful firewall, you don't need to create rules allowing traffic back from the VLANs to those IPs, the above rule would suffice as long as the traffic is originated from IP1 or IP2.

     

    Edit: I recommend reading Rulz for some best practices and most common questions/issues you might have while setting up this environment. You are leaving a fairy simple configuration and adding some complexity, so this reading would definitely help you.

     

    Regards,

    Giovani

  • Thank you very much indeed, everything is becomeing more and more clear and i will definitely read what you recomended, can't wait to mess up with the actual switch and router.

  • You probably wont believe it, but i only got to play with the network now, almost after a year :D (got busy) 

    Long story short is I got vlans to work just fine, but i am no longer able to get internet access.

     

    here is my config

    Vlan 1 native

    vlan 10 pcs, work stations, nas etc

    vlan 30 wifi

    vlan 20 video surveillance

     

    then i have my isp router 192.168.0.254 which goes to my sophos utm 9 on a ethernet interface i called WAN 192.168.0.253

    i then created all the vlans interfaces vlan10, vlan20, vlan30

    I have a firewall rule Internal(network) to any

    and a nat rule Internal to WAN

    i've set dhcp for all the vlans and some forwarders from couldflare

    Just cant connect to the internet

    What's wrong?

  • You need to work back the way from the internet.

    FROM ISP to UTM

    1. Can the UTM WAN eg eth0 (192.168.0 253) communicate with the internet? ie can it ping 1.1.1.1 or 8.8.8.8. Test if it can also resolve

    Little tip here. Try and run the ISP router in bridge mode to give the UTM the public IP as you will be double natting here by the look of it. If you do NAT (as above), try and stay away from 192.168.0.0/24 as these are the default subnets for a lot of routers and you can get caught out with this. It's not essential but if leaving it like this, keep it in the back of you mind. You'll also have to bear this in mind if running any servers when creating DNAT rules

    UTM

    2. If above is ok and UTM can resolve, you will need a masquerading or SNAT rule for every vlan/subnet you create on eg eth1.
    eg Vlan 10 > masquerade or SNAT to UTM WAN interface, Vlan 20 > Masqurade or SNAT to UTM WAN Interface, Vlan 30 > Masqurade or SNAT to UTM WAN Interface

    Each vlan will need a DHCP server with DNS etc configured. It's not 100% nescessary as you could do this manually but I'm guesing you wouldn't want to do this.

    Another tip here: try and stay away from native vlans (especially vlan 1) and tag them all. Again not nescesary but good practice

    UTM to SWITCH

    3. Down to the switch. The cable coming from the UTM should be connected to the switch in trunk mode (not access mode) and the appropriate vlans added. Clients eg pc's etc connecting to the switch should connect in access mode. If everything is well, the client connecting should get a DHCP lease from the appropriate vlan (with gateway & DNS setting included) which should point to the approprite vlan UTM address as the gateway. Test by pinging UTM and then trying to ping 1.1.1.1 0r 8.8.8.8. If good, try and resolve www.google.com

    CLIENTS (and back to the UTM)

    4. If you can ping the UTM ie you have a lease etc, now's the time to really tweak the UTM and use the FW rules or the proxies etc using the log viewer to troubleshoot

     

    The above is just general and if you ain't getting to the internet from a client, you will get stuck somewhere along the above. Let us know at what point and then we can have a better idea.

  • First check whether you have masquerading rules for every VLAN that needs to access internet like Louis also mentioned.

    Second, are you actively using VLAN1 now? If so, stop doing so as it will most likely give you problems if you ever were to also use wireless networking. VLAN1 is reserved for the UTM itself and should therefore not be used in a VLAN-environment.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you very much indeed, i had done pretty much everything you said, except i left the UTM wan interface ethernet and i set the Sophos ip address on the DMZ on the ISP router,

    everything works fine, I already created a dhcp server for every vlan on the UTM 9 (only forgot to post it here) and every seems to be working very well now except

    I can ping the freenas box, I can map a network drive, but i cant find it under network folder in windows. But i do see the plex server. weird.

     

    Anyway this is my config

    ISP ROUTER with wifi,dhcp,firewall OFF

    dmz on 192.168.0.254

    Sophos UTM 9

    Iterfaces:

    eth 0 192.168.1.254/24

    vlan10 192.168.10.254/24

    ...

    vlan99 192.168.99.254

    wan

    192.168.0.254

    default gateway ISP IP address

    Then i created a dhcp server for every vlan like 192.168.10.2-192.168.10.253 default gateway 192.168.10.254 dns 1.1.1.1, 1.0.0.1 and so on for all the vlans

    Then i created a firewall rule for every vlan like vlan10-->any service-->any for every vlan

    then i created a masquerading rule vlan10-->wan

    Everything works, i can navigate and everything seems very smooth, just thinking if I can now improve something security wise.

    Also I would love to limit bandwith to vlan40, and maybe make vlan99 see all the vlans, how can I do that?