Integrating an XG210 with an existing Ubiquiti Unifi Network with multiple VLANs.

HI Paul, 

Welcome to Sophos , I would advise to contact the partner you have purchased the device from to help you with your migration . I am sure they are able to help . Let me know if they could not provide you assistance in such matter .

I am a little embarrassed to admit this, but I am the partner...This is my first sophos roll-out having come from SonicWALL. All of the brands do things a little differently.

Paul,

upload a network diagram and I will try to help you to find out the correct configuration.

Regards

Hi Paul, 

No problem , just checked if there is migration tool to use Sonicwall Backup to convert to XG . Unfortunately, this option is only available in Cyberoam. 

What we may need you to upload the Topology but you may hide some sensitive information if needed or you may private message either Luk or myself the network topology with IP details. Will try to send configuration steps .  

Here is a network diagram with identifying information removed. Thank you for taking a look.

I uploaded a diagram in response to another post. Thank you.

Thanks Paul.

On XG you do not have to create all the VLAN to intercept and inspect all the traffic. You can bridge 2 NICs and put the XG inline. AlanT, few months ago, wrote the bridge feature is improved on XG. Here the link:

https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/79102/xg-and-vlans-on-bridges---feedback-needed

Did you already tried the configuration you need in a small lab? I always install XG in routing mode. In your case bridge mode is better and simple.

Let us know.

Thanks

OK, I finally got a chance to try this after hours when I can disrupt the network. I reset the XG to factory, then went through the wizard to set it up as a bridge. I chose an IP for the Bridge of 192.168.1.250, and the gateway as the existing gateway of 192.168.1.254. After it was done, I plugged it all in. Port A to my core switch, Port B to the gateway...and nothing worked. No traffic could flow from my workstation on VLAN 10 to the gateway and be routed to any other workstation on any other VLAN, nor did I have access to the internet.

Then I remembered something I read about on another post. I went into the interfaces section, selected to edit the bridge interface, and UNCHECKED the "enable routing on this bridge pair" checkbox. Then, everything worked. I had internet, and my VLANs could talk to each other again....

But, I noticed that traffic inbound was failing. I have two internal servers on VLAN 50 that were not receiving heartbeat signals from their clients. I remembered that the wizard only made a LAN to WAN firewall rule. So, I added a WAN to LAN rule that allows everything for now. The gateway has it's own firewall that is blocking any unwanted outside traffic from entering, so I feel that this rule is inherently safe for now.

So...at this point I have the firewall in place and passing all traffic both ways without any filtering or inspection.

Now, how do I tell the firewall to inspect, filter, etc traffic on a per vlan basis? Do I replace the existing WAN to LAN rule with a rule for each VLAN? or, do I replace the LAN to WAN rule?

Paul,

good work! To be able to allow only certain VLAN, create the VLAN network and then add it to source network inside the LAN to WAN rule or any other policy rule and that VLAN will be allowed.

Thanks

Do i do that in System>Network>Interfaces? When I try to create a VLAN I am asked to choose the physical interface, but there is none available. I assume that is because both physical interfaces that are used are part of a bridge pair.

Also, I am asked to assign a zone. Should I choose LAN becasue that is where the active devices on that subnet exist, or should I choose WAN zone becasue that is where the gateway that 'creates' the vlan exists?