Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 2996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with Basic VLAN Setup to Segment Wired and Wireless Network

utmadm

I would like to segment my network into multiple LANs and VLANs.

Right now, I have one happy LAN network, all shared with all devices. Small unmanaged switches in each room, converging to a large 24 port unmanaged switch in the office:

  • Primary real LAN in the LAN port of the Sophos UTM - 192.168.10.x /24
  • Wireless network SSID 1, bridged to LAN - 192.168.10.x /24 ... too.

Future:

  • Existing LAN and SSID 1 Wireless on that same LAN for servers, personal computers, printers, etc. 192.168.10.x /24
  • New segmented networks with internet access through the firewall, but isolated and blocked from the LAN above:
    • Guest wireless network on separate SSID 2  192.168.20.x /24
    • New virtual network VLAN 10 for home appliances (kitchen oven, sump pump, etc.), some on Ethernet, some on Wireless with its own SSID 3   (... .30.x /24)
    • New virtual network VLAN 20 for streaming devices (TiVo, Roku, AppleTV, etc.), some on Ethernet, some on Wireless with its own SSID 4  (... .40.x /24)
    • New virtual network VLAN 30 for cameras (... .50.x /24) 
    • You get the idea...

Each room has a single Ethernet port. The ethernet cables converge in the office closet. Currently each room has a small 5 port switch. A room may have any combination of Sophos AP 100C, devices that belong on the 192.168.10.x LAN (computers, printers, servers), and various ethernet and wireless home appliances, streaming devices, etc. 

In other words, a given room may have a combination of different devices, each one associated with a different network segment / VLAN. At the same time, the same VLAN network segment may have devices in different rooms. 

I ordered managed 5 port switches (L2, 802.1q) to replace the unmanaged switches in the rooms. I ordered an extra managed 8 port switch for the office closet. I am not sure I need it. (To the best of my knowledge, the 24 port unmanaged switch will not pass tagged VLAN Ethernet packets.)

-> Am I on the right track? Is there a better way to segment my network?
-> Do I have what I need to make this work? 
-> What is the best way to configure these devices to segment my network as described? 

P.S. Can I configure the new network segments to be IPv4-only, but leave my primary LAN IPv4 and IPv6?



This thread was automatically locked due to age.
Parents
  • 0

    Adding a Guest wireless network is a good idea.

    Not sure that you need to replace the unmanaged 24-port switch.  Let us know if that was necessary.

    I don't think you can selectively activate IPv6 only on one interface.  The UTM only supplies IPv4 IPs with it's DHCP service.  You can selectively allow only the LAN to reach an IPv6 DHCP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The guest wireless should be able to have its own VLAN, so I can use "Bridge to VLAN" rather than using "Separate zone" with its MTU issues. That is my plan. 

    With the small managed switches in every room, I believe that I will be able isolate mixed wireless and Ethernet-wired devices into their appropriate VLANs wherever they are. I assume that the AP 100C access points will properly tag VLAN and non-VLAN packets on the Ethernet according to their SSIDs, and the new switches will pass them to the next switch accordingly. 

    Does all that make sense to you? 

Reply
  • 0 in reply to BAlfson

    The guest wireless should be able to have its own VLAN, so I can use "Bridge to VLAN" rather than using "Separate zone" with its MTU issues. That is my plan. 

    With the small managed switches in every room, I believe that I will be able isolate mixed wireless and Ethernet-wired devices into their appropriate VLANs wherever they are. I assume that the AP 100C access points will properly tag VLAN and non-VLAN packets on the Ethernet according to their SSIDs, and the new switches will pass them to the next switch accordingly. 

    Does all that make sense to you? 

Children
  • 0 in reply to utmadm

    You are on the right track. I would leave the VLAN ID 1 (default VLAN) for administrative purposes and use only the iD above 2 for my segments.

    You would need to have trunk ports defined from the main switch to the 5 port switches in the different rooms, all others have to be access ports. Only trunk are capable to transport multiple VLANs at once. Most "unmanaged" switches are confgured like having all ports as a "trunk" and therefore seem to pass through all kind of VLANs. The problem is, if you "untag" a VLAN at a certain port, it stays like it was tagged when entering the "unmanaged" switch.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML