This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Use on Home UTM

Greetings Folks,

  I recently delved into adding two layer-2 switches to my home network getting rid of my un-managed units.  I am trying to setup separate VLAN's for private vs guest networks.  

  Can the UTM handle multiple VLAN's on one physical NIC?  

  I modified my Internal interface to be of type "Ethernet VLAN" and set the VLAN to 1 for initial setup.  I then added two additional interfaces on that same NIC of type "Ethernet VLAN".  I setup Private on VLAN 10 and Public on VLAN 20.  192.168.10.1/24 and 192.168.20.1/24 respectively.

  In essence all on eth0, I have:

VLAN 1  -  192.168.254.1/24

VLAN 10  -  192.168.10.1/24

VLAN 20  -  192.168.20.1/24

  My layer-2 switch is connected to the UTM on port 1, and set as a trunk port allowing VLAN 1,10,20 to it.

  When I add ports to VLAN 10 or 20, I am getting a fair amount of packet-loss when pinging those Interfaces from machines plugged into these tagged ports.  I have tried to set the PVID of the switchport to the matching VLAN and that isn't helping the problem either.

  So in addition to the initial question above, I'm trying to diagnose if this is a misconfiguration of my switch, or if I am setting up the UTM incorrectly.

  Any thoughts or comments would be greatly appreciated! :)



This thread was automatically locked due to age.
Parents
  • To add some additional notes to my issue...

    I have the three interfaces setup now, and working! :) Management "Ethernet", guest "vlan 10", private "vlan 20"
    DHCP is working for the two VLAN's and I have both of my switches and their ports configured correctly for all.

    To address the packet loss problem I referenced before.. I found out that this was due to a misconfiguration on part with regards to my Unifi AP's. The management network "VLAN 20" needed to be an UNTAGGED port, with the PVID set to 20. Then I needed to add it to VLAN 10 as TAGGED.

    That threw me off for a while, and apparently with the wireless network set for VLAN 20, and the port tagged, the AP's more or less caused what I can only presume was a glorified broadcast storm that was crippling the switches. As soon as I ran to both switches and unplugged the AP's, the network calmed down and no more packet loss.

    The last thing I wanted to inquire about, was what the best way would be to restrict access from one VLAN to another. Currently I have a firewall rule at the top that DROPS all traffic from Guest (vlan 10) to private (vlan 20). So while I cannot access resources (http, ssh, cifs) from guest to private, I still can ping devices on VLAN 20 from VLAN 10...

    Is there something I am missing to disallow pings from one VLAN to another? Didn't know if anyone has thoughts on this.



    Also, I would very much like to thank Ian and Jaime for their comments and help, they helped me get my head straight to get the configs working. :)
  • Ping is handled globally: Webadmin -> Network Protection -> Firewall -> ICMP.
    If you don't want that, untick the selections there and create appropriate firewall rules instead.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Reply
  • Ping is handled globally: Webadmin -> Network Protection -> Firewall -> ICMP.
    If you don't want that, untick the selections there and create appropriate firewall rules instead.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Children
  • So interestingly, under Global ICMP Settings, I had everything unchecked except "Log ICMP redirects"

    Under Ping Settings, nothing is/was checked.

    And under Traceroute Settings, both of those ARE and have been checked.

    So I am still at a loss... :)

    Also odd, if I have a firewall rule that DROPS all traffic from Guest to Private, why does it seem PING is not included in the "Any" service definition.

    Although, as I type this, I see that the "Any" service definition is only TCP protocols is appears. I may have to include ping in the firewall rule to drop, or at least I presume I do?

    (current not home to test and I have nothing on the guest network to test with yet)