This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Setup multiple VLANS on the same interface

Is it possible to have two separate VLANS on the same interface and how would one run the configuration to achieve it?

 



This thread was automatically locked due to age.
Parents Reply Children
  • Ok but do I also need to create NAT rules and Firewall rules as well, I read that somewhere else in here but I want to walk through each aspect since changes like this typically require downtime, most of the switches are setup so i just need to configure the firewall now.

    Respectfully, 

     

    Badrobot

     

  • Hi Badrobot,

    Yes, you should consider each networked subnet/interface on your UTM needing rules/nats and masquerades where needed.

    The UTM is a stateful firewall that is in default drop fallback so unless you allow from one network to another/network to internet it will be blocked.

    Emile

  • VLAN tags are used at Layer 2.  NAT and Firewall rules apply to Layer 3.  Consider #3.1 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • OK this all helps thanks everyone so much, my next issue is the VLAN 1.  Basically from what I have read is the UTM reserves VLAN 1 for wireless? Could be wrong but just in case......Is it possible to change this?  I ask because we are using D link switches and they reserve VLAN 1 for management, this appears as though it cannot be changed on the D-Links either so I am hoping you can alter this in someway on the UTM to use VLAN 1 for something else.

    Respectfully, 

     

    Badrobot

     

  • Are there any KB's that also explain how to handle the NAT and Masquerade aspects when creating Vlans...  I would think it would be the same as any other but wanted to check.

    Respectfully, 

     

    Badrobot

     

  • I suspect that, if you aren't using Wireless Protection and have everything turned off in there that you might be able to use VLAN 1.  Please come back and tell us if that worked for you.

    As you assumed, a VLAN is just like any other LAN and in need of the same NAT/Masq rules.  Think of a VLAN tag as being like a television channel - the receiver "sees" all the channels, but only picks one at a time.  That's how a VLAN Interface works - it only looks for the tag you define in WebAdmin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • My only issue is would like to use wireless, I am wondering what would happen though if I did wireless on a separate interface, with no NAT rules to each other.  

    Respectfully, 

     

    Badrobot

     

  • Or what I should say is-

     

    Is the wireless tied to a vlan always?  or can you give it it's own interface and simply a subnet without the vlan, still freeing up vlan 1 for another interface?

    Respectfully, 

     

    Badrobot

     

  • Are you using Wireless Protection in the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, thanks for helping with this.  Can you explain that to me also.  I am getting confused as to why Wireless would have to use a VLAN?  Does this have to do with isolation?  Or some aspect as to how the firewall separates what is being handled for wireless and what is not?  

    Respectfully, 

     

    Badrobot