Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrating an XG210 with an existing Ubiquiti Unifi Network with multiple VLANs.

Paul Schwegler

I am trying to integrate an XG210 into an existing network. The network is a full Ubiquiti Unifi setup and has multiple VLANs set up between the gateway and the switch. I would think I could place the XG in line on a trunk connection between the switch and the gateway. The end goal is to be able to filter the individual networks separately in regards to web filtering and scanning etc.

I have asked this question before and got a lead: "You would have to set up virtual interfaces for all the VLANs and bridge them accordingly." But was unsuccessful in making this work.

I am new to the XGs having come from sonicwall, so I am still a bit green when it comes to using the XG software. Can anyone give me a bit more detailed instructions, or at least a link or two to something to help me figure this out? Any help will be appreciated.



This thread was automatically locked due to age.
  • 0

    HI Paul, 

    Welcome to Sophos , I would advise to contact the partner you have purchased the device from to help you with your migration . I am sure they are able to help . Let me know if they could not provide you assistance in such matter .

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

    • 0 in reply to Aditya Patel

      I am a little embarrassed to admit this, but I am the partner...This is my first sophos roll-out having come from SonicWALL. All of the brands do things a little differently.

      • 0 in reply to Paul Schwegler

        Paul,

        upload a network diagram and I will try to help you to find out the correct configuration.

        Regards

        • 0 in reply to Paul Schwegler

          Hi Paul, 

          No problem , just checked if there is migration tool to use Sonicwall Backup to convert to XG . Unfortunately, this option is only available in Cyberoam. 

          What we may need you to upload the Topology but you may hide some sensitive information if needed or you may private message either Luk or myself the network topology with IP details. Will try to send configuration steps .  

          Regards,

          Aditya Patel
          Global Escalation Support Engineer | Sophos Technical Support
          Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
          If a post solves your question use the 'This helped me' link.

          • 0 in reply to lferrara

            Here is a network diagram with identifying information removed. Thank you for taking a look.

            • 0 in reply to Aditya Patel

              I uploaded a diagram in response to another post. Thank you.

              • 0 in reply to Paul Schwegler

                Thanks Paul.

                On XG you do not have to create all the VLAN to intercept and inspect all the traffic. You can bridge 2 NICs and put the XG inline. , few months ago, wrote the bridge feature is improved on XG. Here the link:

                https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/79102/xg-and-vlans-on-bridges---feedback-needed

                Did you already tried the configuration you need in a small lab? I always install XG in routing mode. In your case bridge mode is better and simple.

                Let us know.

                Thanks

                • 0 in reply to lferrara

                  OK, I finally got a chance to try this after hours when I can disrupt the network. I reset the XG to factory, then went through the wizard to set it up as a bridge. I chose an IP for the Bridge of 192.168.1.250, and the gateway as the existing gateway of 192.168.1.254. After it was done, I plugged it all in. Port A to my core switch, Port B to the gateway...and nothing worked. No traffic could flow from my workstation on VLAN 10 to the gateway and be routed to any other workstation on any other VLAN, nor did I have access to the internet.

                  Then I remembered something I read about on another post. I went into the interfaces section, selected to edit the bridge interface, and UNCHECKED the "enable routing on this bridge pair" checkbox. Then, everything worked. I had internet, and my VLANs could talk to each other again....

                  But, I noticed that traffic inbound was failing. I have two internal servers on VLAN 50 that were not receiving heartbeat signals from their clients. I remembered that the wizard only made a LAN to WAN firewall rule. So, I added a WAN to LAN rule that allows everything for now. The gateway has it's own firewall that is blocking any unwanted outside traffic from entering, so I feel that this rule is inherently safe for now.

                  So...at this point I have the firewall in place and passing all traffic both ways without any filtering or inspection.

                  Now, how do I tell the firewall to inspect, filter, etc traffic on a per vlan basis? Do I replace the existing WAN to LAN rule with a rule for each VLAN? or, do I replace the LAN to WAN rule?

                  • +1 in reply to Paul Schwegler

                    Paul,

                    good work! To be able to allow only certain VLAN, create the VLAN network and then add it to source network inside the LAN to WAN rule or any other policy rule and that VLAN will be allowed.

                    Thanks

                    • 0 in reply to lferrara

                      Do i do that in System>Network>Interfaces? When I try to create a VLAN I am asked to choose the physical interface, but there is none available. I assume that is because both physical interfaces that are used are part of a bridge pair.

                      Also, I am asked to assign a zone. Should I choose LAN becasue that is where the active devices on that subnet exist, or should I choose WAN zone becasue that is where the gateway that 'creates' the vlan exists?

                      • +1 in reply to Paul Schwegler

                        No. Create a network object directly from the source network inside the LAN to WAN policy. Create the VLAN as subnet.

                        Thanks

                        • 0 in reply to lferrara

                          Oh, so I am not telling XG to treat traffic differently based on its VLAN, but telling it to treat traffic differently based on its subnet, which is related to the vlan....So I could theoretically create an inbound and outbound rule for each subnet to control the traffic in and out in a fine grained fashion?

                      • 0

                        This posting was extremely helpful.  I was in the same boat.

                        Did you get the your Unifi console to integrate with your UBNT community login and be able to access it remotely?  Obviously there are other ways via port forwarding, dynamic DNS, etc.  I've been struggling getting access remotely through the cloud portal even if I exempt all IPs and UTM in the firewall policies.

                        I'm coming down to the point of just forwarding the ports since the log viewer in XG isn't the easiest to decipher.  I spent countless hours on it and it could be an issue on either end, but I'm seeing more trends coming in via bridge mode even with everything exempt.  (ex: PS4 remote play)

                        • 0 in reply to MiniMeech

                          I'm sorry, I'm not exactly sure what you are asking. I do not use the UBNT community portal, I host my own controller for myself and my clients in my site. My XG is in bridge between the USG and the switch, so there is no forwarding that needs to be done in the XG in terms of the unifi devices. All of the forwarding is done in the USG.

                          I would recommend starting a new thread on the topic, referencing this thread if it was useful.