This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Use on Home UTM

Greetings Folks,

  I recently delved into adding two layer-2 switches to my home network getting rid of my un-managed units.  I am trying to setup separate VLAN's for private vs guest networks.  

  Can the UTM handle multiple VLAN's on one physical NIC?  

  I modified my Internal interface to be of type "Ethernet VLAN" and set the VLAN to 1 for initial setup.  I then added two additional interfaces on that same NIC of type "Ethernet VLAN".  I setup Private on VLAN 10 and Public on VLAN 20.  192.168.10.1/24 and 192.168.20.1/24 respectively.

  In essence all on eth0, I have:

VLAN 1  -  192.168.254.1/24

VLAN 10  -  192.168.10.1/24

VLAN 20  -  192.168.20.1/24

  My layer-2 switch is connected to the UTM on port 1, and set as a trunk port allowing VLAN 1,10,20 to it.

  When I add ports to VLAN 10 or 20, I am getting a fair amount of packet-loss when pinging those Interfaces from machines plugged into these tagged ports.  I have tried to set the PVID of the switchport to the matching VLAN and that isn't helping the problem either.

  So in addition to the initial question above, I'm trying to diagnose if this is a misconfiguration of my switch, or if I am setting up the UTM incorrectly.

  Any thoughts or comments would be greatly appreciated! :)



This thread was automatically locked due to age.
  • Hi,
    the issue is caused by the use of vlan 1, that is the administrative vlan on most networks. Change it to vlan 2 and your packet loss should drop. I currently run two vlans on my UTM without any issues.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • “ I modified my Internal interface to be of type "Ethernet VLAN"” I did not do that, I left the physical interface at “Ethernet” and added two vitrual interfaces as "Ethernet VLAN" and then had my smart switch untagged on VLAN1 and tagged on 20 and 30. This or Ian’s suggestion should fix your problem. Q. Did you set up any manual routing for these new VLANs?

  • So if I am following this correctly from Ian's and Jaime's suggestions, I should have this setup, right?

    All on eth0

    Interface Type  |   VLAN ID     |   IP

    ----------------------------------------------------

    Enternet        |   untagged    |   192.168.254.1/24

    Ethernet VLAN   |   VLAN 10     |   192.168.10.1/24

    Ethernet VLAN   |   VLAN 20     |   192.168.20.1/24

    Switchport 1 (which uplinks to the UTM) should be a trunk port allowing VLAN 10 & 20 tagged, and untag VLAN 1?

  • Yes, for my way of doing it anyway. Or, don't use VLAN 1 like Ian said and use VLAN 2. I use VLAN 1 at home but have so few devices traffic is not an issue.
  • This is the same setup I have. I have 2 NICs (LAN, WAN), and I have 3 interfaces on the LAN side: (1) regular Ethernet for standard home network, (2) VLAN for guest, (3) VLAN for security system. The issue that I run into seldomly is that for some reason when DHCP request is received from a device on a VLAN interface, the request is received not only by DHCP server on the VLAN, but also by the DHCP server on the ethernet interface. As a result, occasionally the DHCP address given out will be within the ethernet interface address pool, which of course doesn't work. Do you run into the same issue?

    The DHCP server is on Sophos UTM and I use Cisco SG200-26 switch.

    Other than the issue above, if the correct address is served, everything works as expected.

    Thanks!
  • To add some additional notes to my issue...

    I have the three interfaces setup now, and working! :) Management "Ethernet", guest "vlan 10", private "vlan 20"
    DHCP is working for the two VLAN's and I have both of my switches and their ports configured correctly for all.

    To address the packet loss problem I referenced before.. I found out that this was due to a misconfiguration on part with regards to my Unifi AP's. The management network "VLAN 20" needed to be an UNTAGGED port, with the PVID set to 20. Then I needed to add it to VLAN 10 as TAGGED.

    That threw me off for a while, and apparently with the wireless network set for VLAN 20, and the port tagged, the AP's more or less caused what I can only presume was a glorified broadcast storm that was crippling the switches. As soon as I ran to both switches and unplugged the AP's, the network calmed down and no more packet loss.

    The last thing I wanted to inquire about, was what the best way would be to restrict access from one VLAN to another. Currently I have a firewall rule at the top that DROPS all traffic from Guest (vlan 10) to private (vlan 20). So while I cannot access resources (http, ssh, cifs) from guest to private, I still can ping devices on VLAN 20 from VLAN 10...

    Is there something I am missing to disallow pings from one VLAN to another? Didn't know if anyone has thoughts on this.



    Also, I would very much like to thank Ian and Jaime for their comments and help, they helped me get my head straight to get the configs working. :)
  • Ping is handled globally: Webadmin -> Network Protection -> Firewall -> ICMP.
    If you don't want that, untick the selections there and create appropriate firewall rules instead.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • Hi Mike, would you be able to take a look at your DHCP log on UTM and check if you're seeing the same symptoms as me? My log is below.

    You can see how the DHCP request comes in on 2 interfaces, the physical and the VLAN, and they both respond.

    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPOFFER on 192.168.1.123 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:55 host dhcpd: DHCPDISCOVER from 34:12:98:XX:XX:XX via eth0.99
    2015:12:04-10:03:56 host dhcpd: DHCPOFFER on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0: wrong network.
    2015:12:04-10:03:57 host dhcpd: DHCPNAK on 192.168.99.100 to 34:12:98:XX:XX:XX via eth0
    2015:12:04-10:03:57 host dhcpd: DHCPREQUEST for 192.168.99.100 (192.168.99.1) from 34:12:98:XX:XX:XX (phone) via eth0.99
    2015:12:04-10:03:57 host dhcpd: DHCPACK on 192.168.99.100 to 34:12:98:XX:XX:XX (phone) via eth0.99

  • dmitripr said:

    You can see how the DHCP request comes in on 2 interfaces, the physical and the VLAN, and they both respond.

    I tried this configuration and had the same problem.

    On the old forum, others stated that they also saw the same issue.  It was suggested that you cannot have DHCP running on the native vlan (physical interface).  You need to use all tagged vlan's.   I never tried it to confirm.

  • So interestingly, under Global ICMP Settings, I had everything unchecked except "Log ICMP redirects"

    Under Ping Settings, nothing is/was checked.

    And under Traceroute Settings, both of those ARE and have been checked.

    So I am still at a loss... :)

    Also odd, if I have a firewall rule that DROPS all traffic from Guest to Private, why does it seem PING is not included in the "Any" service definition.

    Although, as I type this, I see that the "Any" service definition is only TCP protocols is appears. I may have to include ping in the firewall rule to drop, or at least I presume I do?

    (current not home to test and I have nothing on the guest network to test with yet)