Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: How to Configure Inter-VLAN Routing on Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table Of Contents

Overview:

This Recommended Read describes how to configure Inter-VLAN routing using Sophos Firewall. This method is also known as “Router-on-a-stick”.

Requirements:

  • You must have configuration access on the L2 switch connected to Sophos Firewall, where you can define VLANs, bound access ports to specific VLANs, and configure the trunk port.
  • Switch Uplink going/connected to Sophos Firewall must be configured as “Trunk Port” which allows VLANs to pass through and reach it’s VLAN default gateway (which will be the VLAN interface that is to be configured on Sophos Firewall later on the guide)

Configuration:

 

VLAN Interface

Configure VLAN Interface under Network > Interfaces > Add interface > Add VLAN

Then, configure VLAN Interface Settings such as Port, VLAN ID, Zone, IP address, and Netmask accordingly.

VLAN 100 settings:

Click Save.

 

Then, verify if VLAN 100 interface is shown under Network > Interfaces > VLAN

VLAN 200 settings:

For more information how to configure VLAN interface on Sophos Firewall, you may refer to this document guide: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkVLANInterfaceAdd/index.html

VLAN Network Object Definition:

This step would prepare the definition of VLAN networks that would be used in configuring the Firewall rule needed to allow communication on different VLANs.

Go to System > Host and services > Click Add > IP host > Then enter the VLAN 100 details then click Save

VLAN 200

Configuration of Firewall Rules

This step would allow communication of VLANs. Kindly take note that when putting the Source and Destination Network as you configure the firewall rule, you must NOT put the VLAN interface object but instead put on the VLAN Network object and always check “Log firewall traffic” should you need to troubleshoot issues.

Upon completing the above configuration steps up to the configuration of Firewall Rules, your VLANs should be able to communicate with each other. 


Additional Information:

  • The example we used is only 2 VLANs, but the same principle applies if your network would require multiple inter-vlan traffic.
  • The configuration isn’t limited to Inter-vlan. You may also control Web traffic, application, Traffic shaping, etc by VLAN using firewall rules, the same principle applies.
  • You may also change the firewall rule disposition to “Deny” should you want to control certain VLANs from accessing the internet, other networks etc.

Related Information:

How to configure Inter-VLAN Routing video

______________________________________________________________________________________________________________________________________



updated doc guide link to latest
[edited by: Raphael Alganes at 12:49 PM (GMT -8) on 17 Dec 2024]