How should I set up UTM for dhcp to fixed ip devices

Hi

A very warm welcome to the UTM forum! :-)

UTM DNS settings:

Firstly, I assume that you are using UTM as your DNS forwarder, similar to what's shown below (either that, or you have simply ticked that 'Use forwarders assigned by ISP' box and have no hosts listed in the DNS forwarders field).

Firstly, lets look DHCP served devices with MAC IP binding set in UTM:

I now only use DHCP for the devices on my network, however, for anything other than devices on my guest network, I use MAC/IP bound addresses for absolutely everything else and these are set by adding host entries in UTM's 'Network Definitions' list (as shown below screenshot, with the details of the printer one being expanded to show its contents).

Incidentally, I set all of my MAC/IP bound addresses to reside outside of the DHCP pools, leaving the pools only for unbound DHCP devices, temporarily visiting these subnets (so I only require a very small pool of addresses on each subnet).

Now lets look at static addresses set up in the devices, themselves:

The top entry in my first image (the ADSL one) is somewhat different to the rest as it is not a MAC/IP bound static address, but instead an address defined within the external device, itself (it is actually my ISP provided router's LAN address; its LAN port is connected to the WAN side of my UTM box as I am using a double-NAT system). As you can see the 'adsl' device is also defined in the hosts list and that means I can use http://adsl. to access the router's configuration pages (as opposed to typing 192.188.6.1), even though it is not a host with MAC/IP binding set up in the UTM, and as you can see below, it is a very similar entry to that of my printer, but in the below case it doesn't have a MAC address populated in the MAC field and the DHCP server is not enabled for that device.

i

Footnote:

Incidentally, I also have DNAT rules to ensure a device on the network cannot look elsewhere for DNS (in case it's been compromised and set to access a nefarious DNS server). If it tries to look up something other than the UTM itself, it is simply redirected back to the UTM's network address (so in fact, if setting static addresses in any device, I can type any old rubbish for the DNS and it will get redirected to the UTM DNS server address; doing exactly that was how I tested it to see if it was working). :-) Of course, if a browser was using all this newfangled DNS over HTTPS stuff, that would of course defeat these re-directs.

I hope I've covered most things in the above (and I hope it makes sense) but please do ask if anything needs further clarification and I'll respond to the best of my abilities (which aren't actually that extensive, but to make up for that embarrassing void in my own knowledge, I'll at least add additional fancy mages). :-)

Kindest regards,

Briain

PS Sorry about all the edits; I started with a brief reply, then I decided to expand it (and after doing so, it clearly required rearranging to make it less of a muddled mess). :-)

Hi

I've done this for a few customers, so I've just anonymised one of these diagrams (redacting customer names and SSID names, etc) in this case to show a customer and site manager (who are both very intelligent, but not technical people) what I was proposing to build for them (and explain why this was needed for security reasons). As you can see, it is another so called 'router on a stick' design necessitating only a L2 managed switch (I chose the D-Link after a conversation with a WISP who'd used them at several USA hill-top sites and liked their reliability and ease of configuration, so what with that and with their low price, they were also ideal for the sorts of customers that I have).

After actually building it, I then created spreadsheets with more granular information (switch port details) and even screen dumps of key router settings pages, so it all formed a useful handbook for anyone who might to work on it should I not be available, going forwards. The plan was also very useful for myself when initially building it, as even though it is a relatively simple network, trying to picture it all in your head whilst configuring it can be quite tedious (and mistakes can be made when doing it that way, particularly when I'm involved). My own network is of a similar architecture, but I have more VLANs (and I use the UTM's WAF feature to reverse proxy a Raspberry Pi web server) so it is a little more complex. I haven't created diagrams for my own network as nobody else will ever have to work on it (if I get run over by a steam roller, it'll likely all just end up in a skip).

I was suggesting that it might be useful to go through a similar exercise for the network that you wish to sort out as it'll make it a lot easier to do so on the day (less chance of prolonged outages whilst trying to figure out why something isn't working as it should and someone hassling you cause they can't get any work done; trust me, I know from experience that there is nothing worse than that, and particularly so if it happens to the point of sale machine and thus the money can't be taken in). :-)

Kind regards and happy designing.

Briain

NB Yes, the Sonos bridge looks illogical, but it feeds something that's not shown on the diagram (there are a few Sonos units at that site) but the idea of showing it is not to scrutinise the contents, but to give you an idea of the form of network 'plan on a page' diagram that I was suggesting might help (then also help plan how to get there with least disruption, on the day).

Hi Briain,

Thought  the diagram brilliant and must find out what graphics program you use.  Also your diagram made sense to me and I am working on this, in between other Covid related stuff which sadly has priority, much to my regret, so please forgive if my conversation is not as fluent as you might wish.

I mentioned DNS earlier and since I now a problem has come up I will start there with your first picture.  Network Services > DNS > Global I presently have 4 networks shown and all have subnets defined as I expect.

The Forwarders tab has nothing in it and the tick box is highlighted to use forwarders assigned by ISP which address is shown as 192.168.1.1 which I believe comes from my router provided and I have no access to the settings for that device.  The address is clearly not directly from the ISP.

(Sorry about the box above which I cannot remove!)  I believe my Sophos settings are OK for the time being as I have not touched them.  The three subnets I am using all work as expected for the PCs in use as do the printers but I have not configured the management subnet and Vlan 1 and this should be examined. 

Where I am in difficult is with the WiFi as I have upgraded all the AP devices and have been trying to get SSID/Vlan assignments to work correctly.  Strangely one works as required but others do not with failing to get IP when I try and log in to the required SSID. I fear the problem is not just with the absence of correct configuration of the Management network but also with the configuration of the L2 switches and how I should access the AP devices from my own PC or laptop which are both on one subnet along with the static IP addresses of all the APs.

Where would be a good place to start??? 

Hi

I do have a (headless) Windows 10 machine (one of these small fan-less chaps obtained via Aliexpress; it's actually a very nicely built piece of kit and it was a very nice price, too) and the only reasons I have it are for 3 pieces of Windows only software that I occasionally require (and I just use RealVNC to access it from my Linux laptop) with one of these being PaintShop Pro (which was what I used to create the above plan on a page diagram). I'm not saying that PSP is anything special, but I have been using PSP for a very long time (since not long after it came out, in fact) and I just haven't yet taken the time to learn how to better drive GIMP. That said, I recently discovered Kolourpaint (in the Debian repository) and that's just been great for things like quickly redacting text from a screen dump, or the likes (that was what I used to redact - via the rectangles - the SSIDs and other customer identifying information from that network map image).

Back on topic and yes, with that 'use ISP forwarders' box ticked you don't need any forwarders in that list. Had you a modem affront the UTM box, you would indeed get the ISP ones, but as you have a NAT router affront UTM, it sees that as being your ISP, thus the 192.168.1.1. So that means DNS lookups will be whatever the router's set to use, and as you say, with many ISP provided routers, you have no choice other than to use the ISP configured DNS servers as there isn't any field brought out to the GUI in which you can change them (I have only seen that once in an ISP router).

That said, I am currently running a similar system whereby I am using an ISP router in front of UTM, however, I have populated my own choice of forwarders in UTM, so that effectively overrides the settings in the ISP router.That said, it is not a guarantee that you can bypass the ISP's DNS servers as it is possible for them to use transparent DNS proxies to force you to use their servers (I'm not aware of anyone who does that, but allegedly it does happen). See the description and diagram at https://www.dnsleaktest.com/ and that'll explain what that's all about (and you can test for it at that site, too).

Another interesting DNS test resource can be found here, https://www.grc.com/dns/dns.htm and again, there's a good description of what's happening with the test at that page.

Incidentally, for my own forwarders I used to use IBM's Quad 9 (9.9.9.9), then I used Cloudflare (1.1.1.1 and 1.0.0.1) and I'm now using Cloudflares latest offerings (which block access to known malware sites) of 1.1.1.2 and 1.0.0.2. Just in case it helps, below shows the settings 'opened up' for one of them.

I used to have both in a group, but interestingly, a few weeks ago there was an issue with 1.1.1.1 (but not 1.0.0.1) and for some reason, it didn't use the second choice. I suspect that was because the group was resolved as being 1.1.1.1 and I meant to post here about that issue in case it was a UTM bug, but I never got around to doing so; that's why I now have two single entries and not a network group bundling them together (which is, I think, perhaps how you are meant to do it, but I could be incorrect about that).

I'm not clear how you have it set up, but I know one can run into difficulties when trying to use a VLAN as the management LAN. My advice would be to create an untagged management LAN (so the devices attached to it, which should only be the switches and WAPs, etc) can easily get their network configurations (AKA DHCP settings) then create VLANs for all the other groups of devices. If you look at that diagram you'll see just that sort of arrangement (the trunk contains one LAN and three VLANs) whereby the management LAN is not tagged and I do not extend it out to a wireless network (thus no SSID associated with that subnet) as the management LAN should be reserved solely for the core network appliances, themselves (i.e. for inter-VLAN security reasons, you should only have your infrastructure devices sitting on the management LAN, other than for when you need to configure it, of course). So yes, you could either configure it by hooking your laptop into an access port configured to being the management LAN on your managed switch, or as you are using UTM, it is so easy to create an inter-VLAN rule (as per my first post) that that is another way to permit your laptop access to the management LAN.

For the network show in my plan on a page, I opted not to create an inter-VLAN rule and I instead just hook my laptop onto the management LAN when I need to visit them and re-configure anything (see orange text at bottom left corner of that same diagram) but that was mainly because it's a bit more faff to set up inter-VLAN rules in a Draytek and for the amount of occasions that I need to visit and work on their network (i.e. very infrequently) I decided it made better sense to have no rules set up in the Drytek (less is always more, IMHO; less complex configuration could mean slightly less chance of any future firmware bug causing any problems). Of course, if I was using UTM at that site, I would instead do it via creating an inter-VLAN rule (and just for http, https and SSH access).

So yes, you could access all the WAPs and switch settings by simply hooking your machine up to the management LAN, but don't have any other computers siting on the management LAN and for normal use of your own laptop (i.e. when you're not configuring stuff) it's good practice (for security reasons) to revert to instead using on one of the VLANs.

Bri

Dear Briain,

First the good news, my problem was caused by the man who installed the Sophos device in the first place.  A small error in his configuration of one subnet, which was only just discovered by me now as I am starting to use the Sophos in earnest.  Now sorted and all is working reasonably well but needs improvement and hardening.

Having studied your splendid diagram in some detail, I find there is an uncanny similarity between our two systems.  The only difference is that you use Sonos and I use Linn renderers for audio and RPi type device (Vero 4K+) for video with media stored on a NAS box.  We even have a wireless bridge between two buildings with Trunk carrying three subnets across and card machines and Epos system.  I very much appreciate that you are more knowledgable and experienced than me but take comfort in this and value your posts.

I need to digest the above further.  By way of further info I am using EnGenius WAPs here as they are readily available and have good support for multiple SSIDs.  I have three SSIDs set up and linked to three VLans, only one of which is for guests with L2 separation.  The other two do not have L2 separation but are supposed to be private.  Having noted your comments I think I may need to review my plan because my needs at the detailed level do require management being able to access business back of house data from phone.  I shall get back to you when I have had a chance to think.

Regards,

Budge

Hi Briain,

Very briefly my first step on setting up management lan.  I accept your suggestion that only devices such as switches and waps are for management subnet but I cannot readily access the port with cable and laptop  when we are fully working, post Covid precautions.  How should I arrange for access to this subnet?  At present I have not set any vlans on the UTM and do it all on switches.  Can you can you take me through what you would suggest please?   Also how may I improve security if I use wap to access private business back of house networks as I mentioned above?   

Hi

Yes, that network with the Sonos boxes was for a small business customer (with both public needing WiFi, office staff and a couple of 'trading' floors and several card payment machines). My own network architecture is of a similar format, with my 'office' subnet containing several Linn DSM players, three Qnap NASs and some iThings (and this laptop). I have another subnet for my video boxes (Roku, Sky, HTPC and Android TV) and of course, several other subnets for reasons outlined in an earlier post.

In my case, I also use UTM as the DHCP server, so the L2 switch only needs to be configured with the trunk to UTM accepting all VLANs and the LAN, then which VIDs are teased out to which access ports in the switch; all other configuration is set in the UTM. I am not the ideal person to answer on creating VLANs and DHCP servers in a L3 switch (simply because I have never done things that way; I have never required that sort of scheme and having it all done in UTM is easier for me to manage) however, in your case there would be two ways in which you could facilitate access from one of the private networks to the management LAN.

Firstly (and likely you already know all of this) the 'router on a stick' architecture that I use works fine for me as there isn't a lot of inter-VLAN traffic, but it is not suited to a large enterprise network. When I create an inter-VLAN route between two devices (for example, from my wireless laptop on one subnet to a wireless R Pi on another subnet) then the traffic would flow from my laptop to the switch port, through the switch, out the (trunk) switch port connected to UTM (where the inter-VLAN rule permits it access to the other VLAN) then back down the same single trunk link between UTM and the switch, then to the switch port on which the R Pi resides. That is fine for what I want as my inter-VLAN traffic is typically extremely light (pretty much just to configure things). However, if you were instead wanting to transfer lots of huge video files, that single link to the UTM (with the traffic going up then down again) would be a bottleneck, so that would be better handled by an inter-VLAN rule set in the switch, meaning that inter-VLAN traffic doesn't have to flow to and back from the UTM.

As you are probably in a similar situation to myself (not requiring to often transfer big chunks of data between devices on different VLANs) then it likely doesn't matter which way you decide to do it (and anyone who actually does know what they're talking about is welcome do shoot me down in flames for saying that; there are a lot of very clever enterprise grade engineers in this place and I am always delighted to learn something new and cool from them, so please do point out any flaws in my reasoning).

So, to do it in the switch would require you to investigate the inter-VLAN section of the switch GUI and proceed accordingly.

or

Alternatively, to create the rules in UTM (and use it as a router on a stick) you'd have to make UTM aware of the VLANs and convert the link from UTM to the switch into a trunk (carrying both the management LAN and tagged VLAN that you wish access from) and of course, you'd have to do that for both the UTM port and the switch port to which the UTM is connected (unless that was already configured as a trunk port by a previous admin).

As I have never used a switch as my DHCP server, my assumption is that the way to facilitate creating inter-VLAN rules within the UTM will require very similar configuration as my router on a stick arrangement, which would be to create a new interface for each VLAN (but obviously, the difference in your case is that you woldn't also create DHCP servers for each subnet/VLAN as that duty is already being performed by DHCP server configured within the switch). I don't think you'd need anything more than just that, but it is nearly 4 years since I set up my own UTM based network, so though I do frequently work on it, it's possible I'm forgetting something else that would be required (I'll look at it in more detail later, but I think this will be enough).

As to creating the interfaces, below shows some of the ones from my interfaces page:

As you can see, the first one is my management LAN and I would expect that will be similar to what you have now, with the below image showing that first line in edit mode:

Below shows the edit view of the second line (my 'VLAN U' one):

So, I would expect that by adding something like the VLAN U variant to the same hardware interface as your native might be enough to convert the UTM into a trunk port, but of course, if the UTM port on the switch is currently just configured as an access port (with just the management LAN on it) you would also have to convert that switch port from an access port to a trunk port (thus enabling the additional VLANs to access UTM's trunk port).

I would try adding just one of the private VLANs for now, then seeing if you can create a rule to facilitate access from your laptop to a device on the management LAN (or even the entire management LAN) in the form that I've shown in the inter-VLAN firewall rules in my first post. As these private VLANs are already trunked to the WAP, you should be able to associate your laptop to the appropriate SSID and see if the rule facilitates access to devices on the management LAN.

As mentioned several times above, I have only used UTM as DHCP and with the switch only in L2 mode (so all the switch needs populating with its management IP the VID numbers) so whether the above is correct configuration when using UTM with a L3 switch and DHCP servers is something that I cannot test here at the moment (I do have a Cisco L3 switch - which I'm only using in L2 mode - but I cannot afford any downtime, at the moment). I'd search the Sophos site for a tutorial on same (or being me, I'd just try both and see what breaks). :-) Remember to save the current configuration and to also download it, just in case things all get a tad messy, of course!

Hope that helps

Briain :-)

Hi Brain,

Been busy on other work.  Before I do anything else, and sorry but I cannot find where else to post this question, but how do I set up a "new" interface on my SG135?

I thought I had it all OK but DNS is not working and I have no internet connection.  I have turned on the interface and set up the subnet ip and mask but when I added the DNS server I had a blue icon which I do not recognize.  I am clearly missing something but have no idea what.  Is there a guide anywhere or wizard I can use please. 

OK, I have it now.  Will get back to management vlan soon.

Regards,

Budge

Hi Briain,

Please forgive absence from here, I have been working with an electrical contractor on changes to the house.  I have also been distracted as now all new APs have been added I have run out of available ports on the critical managed switch.  BTW, none of my switches are L3 but rather L2+ and I am not seeking L3 capability.

Returning to my setup I have run into a problem with the UTM in that I wish to change the existing management subnet prior to putting the various devices such as WAPs etc. on to that subnet. 

Trouble is, if I even start to edit the subnet address, I get lots of red warnings including that the DHCP will no longer function so I have cancelled and posted here for help!.  It is clear that if I make the changes in the wrong sequence I will be locked out.  What is the correct sequence to change the management subnet address and allowed services so that when I try and log back in to new management interface I can get connected.  

I see that you've started a new thread.  That's the right way to ask a new question.  It's one of the unwritten rules here: "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered.

Cheers - Bob

I see that you've started a new thread.  That's the right way to ask a new question.  It's one of the unwritten rules here: "one topic per thread" - that's to make it easier for future members to find an answer to a question that's already been answered.

Cheers - Bob