Integrating an XG210 with an existing Ubiquiti Unifi Network with multiple VLANs.

HI Paul, 

Welcome to Sophos , I would advise to contact the partner you have purchased the device from to help you with your migration . I am sure they are able to help . Let me know if they could not provide you assistance in such matter .

I am a little embarrassed to admit this, but I am the partner...This is my first sophos roll-out having come from SonicWALL. All of the brands do things a little differently.

Here is a network diagram with identifying information removed. Thank you for taking a look.

I uploaded a diagram in response to another post. Thank you.

Thanks Paul.

On XG you do not have to create all the VLAN to intercept and inspect all the traffic. You can bridge 2 NICs and put the XG inline. AlanT, few months ago, wrote the bridge feature is improved on XG. Here the link:

https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/79102/xg-and-vlans-on-bridges---feedback-needed

Did you already tried the configuration you need in a small lab? I always install XG in routing mode. In your case bridge mode is better and simple.

Let us know.

Thanks

OK, I finally got a chance to try this after hours when I can disrupt the network. I reset the XG to factory, then went through the wizard to set it up as a bridge. I chose an IP for the Bridge of 192.168.1.250, and the gateway as the existing gateway of 192.168.1.254. After it was done, I plugged it all in. Port A to my core switch, Port B to the gateway...and nothing worked. No traffic could flow from my workstation on VLAN 10 to the gateway and be routed to any other workstation on any other VLAN, nor did I have access to the internet.

Then I remembered something I read about on another post. I went into the interfaces section, selected to edit the bridge interface, and UNCHECKED the "enable routing on this bridge pair" checkbox. Then, everything worked. I had internet, and my VLANs could talk to each other again....

But, I noticed that traffic inbound was failing. I have two internal servers on VLAN 50 that were not receiving heartbeat signals from their clients. I remembered that the wizard only made a LAN to WAN firewall rule. So, I added a WAN to LAN rule that allows everything for now. The gateway has it's own firewall that is blocking any unwanted outside traffic from entering, so I feel that this rule is inherently safe for now.

So...at this point I have the firewall in place and passing all traffic both ways without any filtering or inspection.

Now, how do I tell the firewall to inspect, filter, etc traffic on a per vlan basis? Do I replace the existing WAN to LAN rule with a rule for each VLAN? or, do I replace the LAN to WAN rule?

Paul,

good work! To be able to allow only certain VLAN, create the VLAN network and then add it to source network inside the LAN to WAN rule or any other policy rule and that VLAN will be allowed.

Thanks

Do i do that in System>Network>Interfaces? When I try to create a VLAN I am asked to choose the physical interface, but there is none available. I assume that is because both physical interfaces that are used are part of a bridge pair.

Also, I am asked to assign a zone. Should I choose LAN becasue that is where the active devices on that subnet exist, or should I choose WAN zone becasue that is where the gateway that 'creates' the vlan exists?

No. Create a network object directly from the source network inside the LAN to WAN policy. Create the VLAN as subnet.

Thanks

Oh, so I am not telling XG to treat traffic differently based on its VLAN, but telling it to treat traffic differently based on its subnet, which is related to the vlan....So I could theoretically create an inbound and outbound rule for each subnet to control the traffic in and out in a fine grained fashion?

Hello

I want to do the same thing as Paul. I have a edgerouter with eth0 configured as the LAN interface and it carries all (9 VLANs) VLAN traffic to a Layer 2 switch in what I would call a trunk. The switch handles all VLAN traffic etc..  I would like to insert a Sophos UTM between the LAN interface of the Edgerouter and the Layer 2 switch and have it perform DPI, IPS, and Malware scanning.

I am a little confused after reading https://community.sophos.com/kb/en-us/121532 and https://community.sophos.com/kb/en-us/122973

I would like to deploy it as a Layer 2 (Transparent) Bridge. I see that the latter link is newer and therefore I assume the correct way to go. However, I am unsure what to do when I reach step 13 and the actual network settings. I want the bridge to be seamless, so I am unsure what to do. My box that has Sophos installed has 4 nics. My edgerouter has has 8 VLANS 10.10.0.1 thru 10.10.8.1. The management VLAN is 10.10.0.1 

Would I need to have 3 interfaces set up to obtain the desired goal? e.g. 1 interface for UTM management with an IP of 10.10.0.10 connected to the management VLAN on the Layer 2 Switch and the other two UTM interfaces used for the trunk between the edgerouter and the switch with no IPs (0.0.0.0) on each interface IN / Out.

I'm not sure if this is a stupid question, or if I am misunderstanding the concept.

Either way, could you tell me what I would need to do at step 13 to have it act as a Layer 2 transparent bridge and not alter my network? 

I would appreciate your help / direction.

Thanks

As an update, I used my already running 16.5 box with 4 nics to obtain partial success. The box was serving a flat topology with an internal IP of 192.168.x.x and using 2 nics (LAN and WAN). I added a bridge using the two remaining nics and gave it an IP of 10.10.0.11 I set up firewall rules and had internet connectivity. 

This appeared to work well, and all of my VLANs could access the internet and my 192.168.x.x network functioned as well. Unfortunately my UAP-AC-Pro started dropping traffic on some of it's VLANs after a couple of hours and I had to back out of the setup. The VMs attached to the switch could function normally. It was very strange.

As an update, I used my already running 16.5 box with 4 nics to obtain partial success. The box was serving a flat topology with an internal IP of 192.168.x.x and using 2 nics (LAN and WAN). I added a bridge using the two remaining nics and gave it an IP of 10.10.0.11 I set up firewall rules and had internet connectivity. 

This appeared to work well, and all of my VLANs could access the internet and my 192.168.x.x network functioned as well. Unfortunately my UAP-AC-Pro started dropping traffic on some of it's VLANs after a couple of hours and I had to back out of the setup. The VMs attached to the switch could function normally. It was very strange.