Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN / DHCP

I have 3 VLANS, along with DHCP set up for each one.  

My Sophos is 10.0.0.1, and I'd like VLAN11 to be on the 10.0.0.x network, so I've configured it as so...  

However, when I plug a new device into the network, it gets put on the 169.254.x.x network, instead of picking up the 10.0.0.x/VLAN11.

I know I am missing something super obvious but the Sophos interface is brand new to me after getting away from Netgear.



This thread was automatically locked due to age.
Parents
  • Hi,

    very simple, the VLANs are on your external interface and need to be on your internal interface and managed through a managed switch.

    I do not understand your configuration as to why you are using a bridge connection?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    very simple, the VLANs are on your external interface and need to be on your internal interface and managed through a managed switch.

    I do not understand your configuration as to why you are using a bridge connection?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • rfcat_vk said:

    Hi,

    very simple, the VLANs are on your external interface and need to be on your internal interface and managed through a managed switch.

    Yeah, that makes sense.  For some reason when I go to add a VLAN, that's the only interface that it allows me to put them on.  Any idea why that would be?

    rfcat_vk said:

    I do not understand your configuration as to why you are using a bridge connection?



    I didn't choose it... that must have been the default.  If there is a way to change that, I will.

     
  • HI,

    with the current version of XG, VLANs on bridge are not supported, from memory that will be added shortly.

    The bridge was setup during initial installation you had a choice of bridge or routing. You can delete that bridge by removing (deleting) the various interface out of it.

    You will need to delete your DHCP server because you will be creating VLANs on a different network with the same IP addresses you are now using?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I have to disagree. I just deployed sophosOS for a new machine with one external PCI 4NIC card and there was no bridge - each port woks as separated interface. Or maybe i didnt know how to config it as one LAN -> 1,2,3interfaces as one LAN

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • I just factory reset...  there were two options, the Bridge one which I didn't select...

    This is what I see after I first login:

     

     

    If I try to add VLAN, it only allows it on Port2/WAN.  Am I missing something obvious to be able to set VLANs on port1?

  • The Wizard will actually bridge the Interfaces. There is a option to not Bridge the Interface anyways. There are some text about it in the Wizard. 

     

    You need V18 to build VLANs on a Bridge. 

    https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-ga_2d00_build354-is-now-available

     

    If you have MR11, please wait some days. 

    __________________________________________________________________________________________________________________

  • Alright so if I remove the bridge, what do I need to do to get ports 1,3,4 to get access to WAN?

  • Hi Joe,

    you need to add IP addresses to the interfaces, then create firewall rules to allow the traffic out.

    You can start with simple rules source LAN -> IP address range of interface - > destination  WAN -> ANY -> allow -> log will get you ginghams. Further down the track you can modify each rule to use the web proxy to DPI engine, you can refine which ports you allow out, you can decide to scan mail but you will need to install the XG CA on each device the same if you choose to use decrypt and scan in the web proxy.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    I forgot to add you will also need a NAT rule, at this stage a generic rule would be best.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.