LAB-in-A-Box - Help with configuring UTM VM with multiple ESX vSwitch vLAN interfaces on the internal nic

Hello all,

Firstly, I would like thank the Sophos team for providing us with a free UTM Home edition - It is one of the best fully featured FW appliance that is free and I am so impressed by the drag and drop UI.

If possible I'm looking to expand the use of the UTM VM appliance to use the ESXi vSwitch Port Groups to create multiple VLANs to simulate typical DMZ scenarios as shown in the attached diagram.

 

Diagram updated : with the addition of eth2 (third interface) which now connects to the vSwitch trunk port and carries the port group tagged VLANs. 

Any help will be greatly appreciated for creating the basic fw rules to enable basic internet access through the WAN port.

  • Hi and welcome,

    with such a large series of requests, I would suggest you read the knowledge base and start experimenting.

    The basic premise of the UTM is nothing passes unless you provide a rule, so everything is blocked.

     

    Ian

  • In reply to rfcat_vk:

    Thanks for your post. Yes you are right, I am begining to understand that in a FW everything is blocked by default. I have figured that out by playing around with the rules.

    I later realized that it would not be possible to configure multiple VLANs using the VMware port group as a trunk (4095) and be able to do inter-vlan routing without a L3 switch/router device. So I am thinking of adding a virtual router such as vyatta and configure one interface as a trunk port and connect it to Internal UTM interface. But I am not quite sure if that will do the job?

  • In reply to Mike Godhani:

    Sounds like you are missing something. You do not need Vyatta router for this. From your drawing it looks like you are trying to add a VLAN to the MGMT interface. Try adding another interface and creating your VLANS off that. On the switch side it is a trunk that contains your VLANS. On the Sophos side the interface that is connected to the trunk port on the switch you add VLAN interface for each VLAN that is contained in your trunk. Please open and review the help file when you are on the interfaces page of the UTM.

    Hope this helps.

    -Ron

  • In reply to rrosson:

    Ron,

    I added the 3rd interface to the UTM as you suggested and I have updated the diagram to reflect this.

    I can ping the gateway addresses from a VM that resides on each of the vlans, but I can't seem to ping any of the VMs.

    Added a rule to switch off the FW Source = Any Service=Any Destination = Any to at least get out to the internet, but I can't seem to get the traffic to go out of each of the vlans on the trunk port. Tried to also add each of the VLAN network to allow Any service and Destination = Any and still no luck.

    The only interface that seems to be allowing traffic to go out to the internet is from the eth0 which was originally configured as the internal interface when I installed the UTM.

    -Mike

     

  • In reply to Mike Godhani:

    Hi,

    the next trick is MASQ/NAT for each interface.

     

    Ian

  • In reply to rfcat_vk:

    1st rule was configured by the configuration wizard.

    Added a Masquerading Rule to allow traffice from VLAN 199 to accesss the internet.

    1st rule is created to turn off the FW but this did not work

    2nd rule added LabNet-MGT vlan 199 but this does not seem to work

    I can ping the WAN IP and also my home router gateway from a VM residing on vlan 199 but can't seem to get the traffic to flow through.

  • In reply to Mike Godhani:

    Hi,

    the masq rules are internal network -> external interface

    Not sure what you mean by turn firewall off, the firewall is off by default. Your first rule will apply and nothing will get to the next rule. You need a rule for each network and an associated masq/NAT RULE.

    Your first rule looks quite dangerous eg anyone anywhere using any protocol can use you firewall as a proxy. UTM rules for outgoing traffic are basically internal network -> any (protocol) -> any network -> allow -> log

     

    IAN

  • In reply to rfcat_vk:

    Hi Ian,

    What I meant by firewall off is - allow all traffic through. I created that rule for testing if the VMs on each of the vlan is able to get out to the internet and or communicate with each other.

    I have done what you suggested. I have a NAT rule as well as FW rule to allow all traffic, but for some strange reason traffic is being blocked. The rules only seem to be working for the internal interface which was created when i installed the UTM.

    I have disabled all the Wizard created FW rules and switched on just one rule.

    Traffic is being blocked - 192.168.199.2 is the VM and 192.168.199.1 is the vlan interface IP (Gateway)

    I changed the priority of the LABNet-MGMT NAT rule

    I can do a tracert to my home router but DNS is being blocked - I confused as to what is blocking traffic from the vlan interface ?

  • In reply to Mike Godhani:

    Hi,

    looks like your IP range is not in the allowed network for vlan199.

    What does the vlan199 interface show?

     

    ian

  • In reply to rfcat_vk:

    Hi Ian, the addressing for the vlan 199 interface is as below:

    Update:

    I had to add LabNet-MGT network to the DNS Allowed Networks and that did the trick!

    Now that I have figured out how to control access to the internet for each of the subnets.

    I now need learn the basics of how to configure the inter-vlan FW and network traffics rules.

  • In reply to Mike Godhani:

    I did some testing, I disabled all NAT and FW rulles and to my surprise once the vlan is added to Global allowed network for DNS, I was able to get out to the internet from the VM without needing any FW rules.

    Not sure what is going on?

  • In reply to Mike Godhani:

    Quick guess..... probably because you have the web proxy enabled?