Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrating an XG210 with an existing Ubiquiti Unifi Network with multiple VLANs.

I am trying to integrate an XG210 into an existing network. The network is a full Ubiquiti Unifi setup and has multiple VLANs set up between the gateway and the switch. I would think I could place the XG in line on a trunk connection between the switch and the gateway. The end goal is to be able to filter the individual networks separately in regards to web filtering and scanning etc.

I have asked this question before and got a lead: "You would have to set up virtual interfaces for all the VLANs and bridge them accordingly." But was unsuccessful in making this work.

I am new to the XGs having come from sonicwall, so I am still a bit green when it comes to using the XG software. Can anyone give me a bit more detailed instructions, or at least a link or two to something to help me figure this out? Any help will be appreciated.



This thread was automatically locked due to age.
  • No. Create a network object directly from the source network inside the LAN to WAN policy. Create the VLAN as subnet.

    Thanks

  • Oh, so I am not telling XG to treat traffic differently based on its VLAN, but telling it to treat traffic differently based on its subnet, which is related to the vlan....So I could theoretically create an inbound and outbound rule for each subnet to control the traffic in and out in a fine grained fashion?

  • This posting was extremely helpful.  I was in the same boat.

    Did you get the your Unifi console to integrate with your UBNT community login and be able to access it remotely?  Obviously there are other ways via port forwarding, dynamic DNS, etc.  I've been struggling getting access remotely through the cloud portal even if I exempt all IPs and UTM in the firewall policies.

    I'm coming down to the point of just forwarding the ports since the log viewer in XG isn't the easiest to decipher.  I spent countless hours on it and it could be an issue on either end, but I'm seeing more trends coming in via bridge mode even with everything exempt.  (ex: PS4 remote play)

  • I'm sorry, I'm not exactly sure what you are asking. I do not use the UBNT community portal, I host my own controller for myself and my clients in my site. My XG is in bridge between the USG and the switch, so there is no forwarding that needs to be done in the XG in terms of the unifi devices. All of the forwarding is done in the USG.

    I would recommend starting a new thread on the topic, referencing this thread if it was useful.

  • Hello

     

    I want to do the same thing as Paul. I have a edgerouter with eth0 configured as the LAN interface and it carries all (9 VLANs) VLAN traffic to a Layer 2 switch in what I would call a trunk. The switch handles all VLAN traffic etc..  I would like to insert a Sophos UTM between the LAN interface of the Edgerouter and the Layer 2 switch and have it perform DPI, IPS, and Malware scanning.

    I am a little confused after reading https://community.sophos.com/kb/en-us/121532 and https://community.sophos.com/kb/en-us/122973

    I would like to deploy it as a Layer 2 (Transparent) Bridge. I see that the latter link is newer and therefore I assume the correct way to go. However, I am unsure what to do when I reach step 13 and the actual network settings. I want the bridge to be seamless, so I am unsure what to do. My box that has Sophos installed has 4 nics. My edgerouter has has 8 VLANS 10.10.0.1 thru 10.10.8.1. The management VLAN is 10.10.0.1 

    Would I need to have 3 interfaces set up to obtain the desired goal? e.g. 1 interface for UTM management with an IP of 10.10.0.10 connected to the management VLAN on the Layer 2 Switch and the other two UTM interfaces used for the trunk between the edgerouter and the switch with no IPs (0.0.0.0) on each interface IN / Out.

    I'm not sure if this is a stupid question, or if I am misunderstanding the concept.

    Either way, could you tell me what I would need to do at step 13 to have it act as a Layer 2 transparent bridge and not alter my network? 

     

    I would appreciate your help / direction.

     

    Thanks

  • As an update, I used my already running 16.5 box with 4 nics to obtain partial success. The box was serving a flat topology with an internal IP of 192.168.x.x and using 2 nics (LAN and WAN). I added a bridge using the two remaining nics and gave it an IP of 10.10.0.11 I set up firewall rules and had internet connectivity. 

    This appeared to work well, and all of my VLANs could access the internet and my 192.168.x.x network functioned as well. Unfortunately my UAP-AC-Pro started dropping traffic on some of it's VLANs after a couple of hours and I had to back out of the setup. The VMs attached to the switch could function normally. It was very strange.

  •  I found this old thread.  I'm also using Unifi access points.  Although, in my setup, it's Modem (Fiber), Sophos XG Firewall, HP 1810 switch, and Unifi APs.  I use Unifi Controller on my NAS as controller.  

    My question is, why are you using USG Pro 4?  Is this still needed?  Currently in mine, modem goes straight to Sophos XG.  

    Thanks, hope to hear your reply.

  • I don't need to use a USG, in fact it's kind of a pain in the butt because I have to disable NAT. But, I needed to create a unified standard (pun intended) for my company because all of my junior techs need to be able to be trained on the system.  A cheap USG is a small price to pay for a well-functioning and easy to troubleshoot and configure system.

    Plus I get all the green circles in the dashboard LOL

  • "Plus I get all the green circles in the dashboard LOL"

    True :-). Thanks for the clarification.