Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 44 subscribers
  • Views 9341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN and Virtual XG Behaviors

ShawnMix

So I'll start off by letting you know I'm currently running pfSense, with no issue. The configuration is set as expected. I'm finding some odd behavior though in trying to MATCH the configuration with the Sophos XG. I can validate that with the UTM9 platform, I'm able to see traffic behave as expected as well. But for some reason, the XG is causing some very odd results, and not working in setting up my VLAN's appropriately. 

2 Main issues I've run int:

  1. I have an Asus RT-N66U running Tomato Shibby firmware. This enables the VLAN tagging/trunking. I've setup Port1 as Trunk with VLAN 10/12. On XG, I've configured Port1 with VLAN sub-interfaces (10/12). If I connect Port1 to LAN (vPortGroup, which is on a vSwitch with 1 uplink to Port1 of Asus), there is no connectivity. I can not from a device on the VLAN's ping the interfaces (either the main Port1 or Port1.10/Port1.12). 
  2. Using a virtual environment, I've added 3 vNIC's to the VM (VM-Net/Wan/DMZ). My goal when setup properly, is to attach the LAN network in place of VM-Net. For testing and connectivity though (due to issues above), I've added a 4th vNIC connected to Lan. If I set Port1(VM-Net) and Port3(LAN), I can ping both IP's on the interfaces. If I switch Port1(LAN) and Port3(VM-Net), I can not reach EITHER interface IP's. 

My setup with some basic outline below:

Cable Modem <---> vmNIC1 ESXi <---> vSwitch3 <---> vPortGroupWAN <---> <[XG Firewall]> <---> vPortGroupLAN [VLAN 4095 (trunk)] <---> vSwitch2 <---> Asus Port1 (VL10/12 Trunk) <---> br0 (VL10) Local LAN ports & WiFi / br1 (VL12) Guest WiFi

In VMware, the way to pass a trunk port through to a vNIC interface, is to set the PortGroup VLAN to 4095 for passing ALL VLAN's into the VM. This essentially leaves all TAGS intact, and passes them through to the attached vNIC interfaces. As mentioned above, this works perfectly fine with pfSense where I've setup the LAN/GUEST interfaces to VLAN 10/12 - the configuration on the Asus is sending packets being flagged properly with the correct VLAN tags and processing traffic appropriately. And the end results of segregating the two subnets through my pfSense box (aka strong firewall, qos, snort, etc rules) is working perfectly.

I'd heard a lot of people talking about how XG isn't ready and stick with the UTM 9 instead. I decided to attempt seeing if the same issue existed there, and it looks at a base level like the issues is not present in UTM9. I did a quick setup, configured VLAN's, and tested communication from the UTM to the different VLAN subnets, and it seems to work ok. I'd rather not have to go UTM9, as the interface is getting outdated, and likely will be a retired product in just a few short years. XG is clearly the future, but I'm EXTREMELY frustrated at this point not being able to switch over.

Any help is GREATLY appreciated. Also if there are ways I can further isolate/troubleshoot to find exactly where the issue is, that would be helpful as well. 



This thread was automatically locked due to age.
  • 0

    I know this is an old thread, but a big THANK YOU for that tidbit on the port group set to 4095.  It worked for me and I will be adding that to my brain dump for later.

    Seeing as how your post is from 2016, I will admit that XG was...buggy at that time.  The company I work for (myself too) stuck with UTM until XG got most of the kinks worked out.

    The conversion (UTM to XG), centralized firewall management, user/customer account creation/provisioning/management, and PSA integration for alerting are still troublesome to this day, but the core XG firewall, VPN, and web filtering are way better than UTM in my opinion.

  • 0 in reply to bestmens cologne2020

    I assume V18 supports both setups. This initial post is now nearly 4 years old.

    __________________________________________________________________________________________________________________

  • 0

    Over the last few days I have finally got some time to try a migration from the UTM9 which I have used and loved for some years now to the new XG Firewall.   I too have the same setup as you with the UTM and XG running in ESX and found the same problem but was aware of using 4095 to send all the vlans through to the UTM.   What I did was to resolve this in the short term was leave Port1 as a dedicated Out of Band management port, Port 2 as WAN and Port 3 as all my network vlans which worked perfectly.     Up until this point I was also getting very frustrated because whilst I could add all the vlans onto Port1 the result was there was NO WAN connectivity at all, I couldn't find a reason why.

    Rebuilding the firewall VM again, I did it as default and vanilla as I could and everything worked with a single WAN internet connection and single non vlan Port 1 LAN network.   As soon as you add a vlan to Port 1, WAN was dead.   This is not how the UTM9 worked as I have WAN, LAN (all vlans) only and it was perfect, this took me a while to work out.   Putting all vlans on Port3 had the same effect and no problems encountered.

    Hope that helps, not ideal it means wasting a port but you dont have to bind Port 1 to a physical vmnic via a vswitch anyway so you can just ignore it in a way.

  • 0 in reply to pumpkinpower

    I created a separate vswitch in ESXi and dedicated a physical NIC to it for the WAN connection.  Maybe that would help?

    My LAN and all internal VLANs are on a different vswitch and my XG LAN NIC has all VLANs configured.  Similar to what you have, but divided differently.  I don't have a dedicated management VLAN.

  • 0 in reply to ed2019

    Hello,

    What you suggest is exactly what I would and have done.  Keep the WAN and LAN ports of the XG on their own Nic connecting to what you need.

    The only reason i have the 'management' network was because of the issue putting vlans on Port1, that said it is handy to have a direct back door to the Firewall on a physical port if all things go pear shaped switching/network wise.   I would have just normally put all the vlans on the LAN port as well, but doing that seems to break things, putting the vlan trunk onto Port 3 resolved all my woes.

    My config is as follows:

    In SophosXG:



    On the VM:

     

    ESXi Networking:

    XG Port 1 - Network adapter 1 is connected to a vSwitch which has a VM connected for OOB Management and can be connected to a external vnic

    XG Port 2 - Network adapter 2  (WAN) is connected to a vSwitch and to an external vnic connected to my ISP NTD (It provides a single DHCP address)

    XG Port 3 - Network adapter 3 is connected to my switch which has all the tagged vlans for for the different networks

    XG Port 4 - Network adapter 4 is connected to a vSwitch, to an external vnic and connected to an LTE Modem as a WAN backup.

     

    Does that help?

     

    FWIW I am familiar in also running pfsense and UTM9.  I originally was using pfsense before a friend suggested I tried the UTM which was frankly a better choice.  Now that I need to move on from the UTM I'm trying the XG and found exactly the same foibles as you have and after a couple of re installs and testing I found that putting vlans on Port1 resulted in things not working properly.  Leaving it alone worked around this issue by leaving Port1 default.

  • 0 in reply to pumpkinpower

    Thanks for sharing.  After I got the VLAN traffic going to the XG via the 4095 tag in ESXi, I've not had any issues.  Could you share what issues occur when you have it setup the way I have it?

    I have HP for my layer 2 switch, and vlan 1 is untagged and the other vlans (WLAN and IoT WLAN) are tagged on the ESXi switchport.

    The LAN NIC in XG is configured with the 4095 vlan on vswitch0

    I have a separate LAN vlan on vswitch0 for all VMs except the XG.

    The WAN NIC in XG is configured with an ESXi-defined (only in ESXi) WAN vlan on it's own vswitch (vswitch1).

    On the HP switch, I have vlan 1 untagged and the WLAN and IoT vlans are tagged on the port going to my access point.  I have different vlans configured on different SSIDs.

    On the XG, I have the same sub-interface VLANs configured that you have, but mine are on the LAN port instead of a third port.

    I have the WLAN vlan getting relayed to my DHCP server on it's own scope and the XG configured as DHCP server for the IoT WLAN in the DMZ zone.

    I have a firewall rule setup to allow the WLAN network and LAN to communicate.

    I have a firewall rule allowing all DMZ traffic out the WAN zone and I have an explicit block rule to reject traffic from the IoT WLAN going to the anything on the LAN.

    It all works quite well so far.

    My next move is to get a second WAN connection and configure fail-over gateways.  More vlan fun.  :)

    Thanks,

    Ed

  • 0 in reply to LuCar Toni

    Still on SFOS 17.5.9 MR-9.  No updates are available at this time.

Unfiltered HTML