This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED50 - VLAN and DHCP not working

I have an internal client vlan (VLAN12) that I need to pass to a remote office.  I purchased a RED50 because the literature says, it can handle vlan’s.  Only, I’ve tried every which way that is suggested by the Sophos Community and I cannot get it to work.

 

VLAN12 works fine internally, but when I try to pass it over the RED50, I get nothing.  Hopefully, someone out there will be willing and able to give me a hand with this.

 

My current setup is as follows:

 

  • Windows Server 2012 R2 DHCP server (10.0.0.12) on a management vlan (VLAN1)
    • Client DHCP scope setup:
      • Address pool 10.0.12.1 – 10.0.12.200
      • Router 10.0.12.254
      • DNS server 10.0.0.12

 

  • Sophos SG310, UTM 9.409-9 (10.0.0.253)
    • Eth0 = Internal LAN (10.0.0.253)
    • Static route (gateway) - Internal interface and Client network to core switch
    • Firewall rule - Internal interface and Client network to Internal interface and Client network for Any service
    • Firewall rules - Internal interface and Client network to Anywhere for DNS, HTTP, HTTPS, etc
    • Multipath rule - Internal interface and Client network to Anywhere for Any service on the WAN interface

 

  • HP 3800 core switch (10.0.0.254), setup with:
    • Default gateway (10.0.0.253)
    • VLAN1 (10.0.0.254)
    • VLAN12 (10.0.12.254)
    • IP route for 0.0.0.0/0 with the gateway IP 10.0.0.253
    • VLAN12 has an IP helper address of 10.0.0.12

 

Port 1 on the core switch is untagged in VLAN1 and connects the DHCP server

Port 10 on the core switch is untagged in VLAN12 and connects a client PC to the network

Port 38 on the core switch is untagged in VLAN1 and connects to eth0 on the Sophos UTM

 

When I connect a PC to port 10 on the core switch, it gets an IP address from the Client scope on the DHCP server.  The PC can also connect to all other devices on both VLAN1 and VLAN12, as well as the internet.

 

Without me going into to detail, I have tried setting up the RED50 in almost every conceivable manner, and none of the setups provide a connection back to the DHCP server.



This thread was automatically locked due to age.
Parents
  • Hi, and welcome to the UTM Community!

    VLAN 1 is reserved in the UTM for Wireless Security.  Please change that to some other tag and let us know if your RED problem persists.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

     

    Thanks for the warm welcome.

     

    I'm in touch with Sophos Senior Technical Team regarding the issue now.  Sophos support have confirmed the VLAN12 tag is getting to my RED50, but it not being handled/passed through my UTM.

     

    I had read online about the VLAN1 Wireless reservation, but as I'm not tagging VLAN1, it shouldn't be an issue.  Should it?

    Also, it might be an idea for Sophos to make the Wireless VLAN ID changable, as almost all switches have VLAN1 as the default VLAN.  And it's my guess that all but the most experienced network managers/engineers, will just use the default, even though best practice is not to.  Unfortunately for me, I was unaware of this "best practice" and the network engineer that set our VLAN's up, never mentioned anything at the time.  If I HAVE to change it, I will, but it's a lot of downtime to schedule in, so I'd like to avoid it, if at all possible.

     

    All my servers and switches are untagged in VLAN1 and the UTM provides internet access, etc. without any problems.

     

    If and when I get a resolution to the issue, I will post it here for others reference.

     

    Thanks, Dan

  • Looking forward to hearing the resolution, Dan - TIA.

    Your description of VLAN 1 makes me think that you mean an untagged VLAN, not one that's tagged with "1."  In any case, as long as no VLAN tagged "1" is visible to the UTM, there should be no problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi All,

    Updating the thread as the case is running with Support. Daniel's is forwarding VLAN12 tagged traffic via RED to the UTM. The UTM is receiving the tagged traffic as per the captured dumps. The interface configuration for the RED was type: Ethernet which was changed to type: Ethernet VLAN with tag 12 for Red's virtual interface. After this change, the UTM is forwarding and relays the DHCP requests to the DHCP server behind the switch.

    Taking a PCAP on the server side, we noticed that the reply packets from the server were getting dropped on the core switch. After removing VLAN12 database from the core switch, Red client could receive the IP address from DHCP server. 

    This is for the reference for other members who may have a similar setup.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Bob - You are exactly right, there is nothing tagged in VLAN1 anywhere on my network, so all should be good on that front.

  •  Regards VLAN12 now getting DHCP address assignments correctly, yes the DHCP server now hands out IP's to VLAN12 devices.

    HOWEVER, whilst I can access all other network devices (RED50 side or UTM side) from the VLAN12 device.  I CANNOT access the VLAN12 device (RED50 side) from any device on the UTM side.

    So the problem is still not yet resolved, although progress has been made.

  • This sounds like a routing problem, Daniel.  I'm betting you need a route in the core switch and that it will be obvious to you what it needs to be.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • This sounds like a routing problem, Daniel.  I'm betting you need a route in the core switch and that it will be obvious to you what it needs to be.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data