Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
______________________________________________________________________________________________________________________________________
Table Of Contents
Overview:
This Recommended Read describes how to configure Inter-VLAN routing using Sophos Firewall. This method is also known as “Router-on-a-stick”.
Requirements:
- You must have configuration access on the L2 switch connected to Sophos Firewall, where you can define VLANs, bound access ports to specific VLANs, and configure the trunk port.
- Switch Uplink going/connected to Sophos Firewall must be configured as “Trunk Port” which allows VLANs to pass through and reach it’s VLAN default gateway (which will be the VLAN interface that is to be configured on Sophos Firewall later on the guide)
Configuration:
VLAN Interface
Configure VLAN Interface under Network > Interfaces > Add interface > Add VLAN
Then, configure VLAN Interface Settings such as Port, VLAN ID, Zone, IP address, and Netmask accordingly.
VLAN 100 settings:
Click Save.
Then, verify if VLAN 100 interface is shown under Network > Interfaces > VLAN
VLAN 200 settings:
For more information how to configure VLAN interface on Sophos Firewall, you may refer to this document guide: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkVLANInterfaceAdd/index.html
VLAN Network Object Definition:
This step would prepare the definition of VLAN networks that would be used in configuring the Firewall rule needed to allow communication on different VLANs.
Go to System > Host and services > Click Add > IP host > Then enter the VLAN 100 details then click Save
VLAN 200
Configuration of Firewall Rules
This step would allow communication of VLANs. Kindly take note that when putting the Source and Destination Network as you configure the firewall rule, you must NOT put the VLAN interface object but instead put on the VLAN Network object and always check “Log firewall traffic” should you need to troubleshoot issues.
Upon completing the above configuration steps up to the configuration of Firewall Rules, your VLANs should be able to communicate with each other.
Additional Information:
- The example we used is only 2 VLANs, but the same principle applies if your network would require multiple inter-vlan traffic.
- The configuration isn’t limited to Inter-vlan. You may also control Web traffic, application, Traffic shaping, etc by VLAN using firewall rules, the same principle applies.
- You may also change the firewall rule disposition to “Deny” should you want to control certain VLANs from accessing the internet, other networks etc.
Related Information:
How to configure Inter-VLAN Routing video
______________________________________________________________________________________________________________________________________
updated doc guide link to latest
[edited by: Raphael Alganes at 12:49 PM (GMT -8) on 17 Dec 2024]