Is it possible to have two separate VLANS on the same interface and how would one run the configuration to achieve it?
This thread was automatically locked due to age.
Yes, thanks for helping with this. Can you explain that to me also. I am getting confused as to why Wireless would have to use a VLAN? Does this have to do with isolation? Or some aspect as to how the firewall separates what is being handled for wireless and what is not?
Respectfully,
Badrobot
I don't know the details of how VLAN 1 is used by Wireless Protection, just that it's used behind the scenes. I think you will need to get a ticket open with Sophos Support to see if they know a workaround for your D-Link conflict. I suspect that you will need to request escalation. Please share what you learn.
Cheers - Bob
Ok so I created my VLANS on each interface allowing for multiple VLANS per interface, i.e. eth0 has VLAN 2, 4 and 6. Now I am not 100% on the masquerading rules, I would think I need on for any vlan to any uplink interface. But with the VLAN to VLAN traffic do I need to make one for each direction? i.e. VLAN 2 to 4 and VLAN 4 to 2? Do I also need to make a NAT 1:1 rule for each as well? and do these also need to go each direction? Just a little confused on the order-
I think it is
VLAN
Masquerade
NAT
Firewall Rules
But I am not 100% on each step I have done more work on the XG than SG so this is throwing me some, if anyone could example out how to do this for vlan traffic to work from one vlan to another is would be great.
Respectfully,
Badrobot
First, read #2 in Rulz (last updated 2019-04-17) and look at the images at the bottom of that post. Between subnets on any LAN or VLAN interfaces, you only need firewall rules, no NAT or masquerading. You also might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.
Cheers - Bob
Ok, that helps, so basically I have created my VLAN's I have put 2, 4, & 6 on one interface and another 8, 10 & 12 on another (to help with load) I have created a masquerading rule for each vlan to access the uplink interfaces. As I understand it no traffic will be allow between vlans or from a vlan to the wan without me create a rule to allow that traffic from a source to a destination using a specific service, at least I think I am getting that correct....
Respectfully,
Badrobot
I should also ask in regards to VLANS, when setting up the interface should you assign a static gateway? I ask this because this setup is using a different subnet for each vlan and I feel like it should have a gateway assigned.
Respectfully,
Badrobot
On VLANs, default gateways are assigned to clients by DHCP, just like with a regular LAN.
Cheers - Bob
Ok, that makes sense, were I am confused by this is how does the static ip aspect work then. Do you have a DHCP setup, then set a reserved range and use those for static and the gateway is the same as it is for the DHCP aspect?
Thanks again for all you replies Bob, it is really appreciated!
Respectfully,
Badrobot
The UTM DHCP server doesn't work like the Windows DHCP server. UTM doesn't have "reservations" for IPs - you must assign fixed IPs outside the 'Range' of the DHCP server. When you press a [Make Static] button on the 'Lease Table' tab, you must choose a new IP outside the range of the DHCP server.
Cheers - Bob