Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 42 subscribers
  • Views 10141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SD-RED 20 and VLANs

Vict0r-

Hello, I have the following scenario, I need to transport some VLANs that are on my core switch L3, behind the RED (Appliance), I have already tried to put the Firewall interface marked with the VLANs that I need, in Sophos I grouped the VLANs in a bridge, station behind RED gets ip from guest VLAN but does not browse.

I know it's not a good practice, but I need the Hotspot of my guest network, also in the branches.



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    And what would be the ideal scenario? Of all the VLANs, the only one I need in branch offices is Guest.

  • 0 in reply to Vict0r-

    From my point of view, expanding a VLAN is not a good idea. You should look at those locations as a own network and segment it there from a segmentation perspective. To expand the same VLAN to all locations would mean, you span the same network subnet to all locations, which means, all broadcast packets will be transfered to all locations. By segmenting in own VLANs with own subnet ranges, you have a clean cut between those networks. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I understand, but in my Guest network, I have a Hotspot (Mikrotik) configured where users create a registration to be able to use the Internet, so I have navigation logs, according to the data law of my country. Setting up another Hotspot in the branches will be laborious and complicated to maintain.

  • 0 in reply to LuCar Toni

    My interfaces are configured as follows:

  • 0 in reply to LuCar Toni

    This is the topology of my headquarters:

  • 0 in reply to Vict0r-

    As mentioned, you can do this for 2 REDs, but if you want to expand, you should rethink your design about the Hotspot. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I tried to configure a lab as you suggested, I used a firewall as a red server, and another as a red client, I grouped the interfaces in a bridge at both ends, I put a switch to mark the packets, but without success. Perhaps a firewall like the red client works another way?

  • 0 in reply to Vict0r-

    What did you place on the other end of the firewall? Because the firewall will not tag the traffic in that sense like a PVID. Can you check the tcpdump/Packet capture of the firewalls, if the traffic is flowing? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Behind the RED Client I put a Switch to mark the packets.
    The router is configured to be the L3 of the headquarter VLANs. VLAN 150 is configured on it.

    My test topology:

  • 0 in reply to Vict0r-

    If your topology really is like above, then you do not transport all VLANs to the Sophos PortA.

    You need a trunk port to transport all VLANs and the Sophos will pass them on unmodified.

    The only thing you configure a VLAN on a Sophos port is to become a member of that particular VLAN with that port.

    At least this is my observation and experience so far.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML