This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM and VLAN routing

Hello,

Hoping I can get some assistance with what I am missing on this UTM SG230 running 9.407-3. I have seen other questions on here, however could not find one with a...complete answer. As well, I know all configurations are different. So, even a push towards another question may help.

I have the following configuration on a L3 capable switch (CiscoNexus5548UP) it is the default gateway for the endpoints. However the VLANs I have configured are not understanding and seem to be dropping the VLAN traffic once the traffic gets to Sophos SG230.  

The Cisco has following VLANs with IP address assigned to vlan interface.

VLAN 1=101.1   *Default VLAN and EndPoint default GW
VLAN 102=102.1
VLAN 103=103.1  
VLAN 104=104.1

The UTM internal interface is 101.254 *eth0 of UTM
The UTM additional interfaces are 102.254, 103.254, and 104.254 *Interfaces & Routing tab, Interfaces, additional addresses tab

The Cisco routes  have been checked and double checked, all VLANs have route to firewall and 0.0.0.0 to firewall is primary route for VLAN1.
0.0.0.0/0, ubest/mbest: 1/0
    *via 192.168.101.254, Vlan1, [1/0], 1w4d, static
         recursive next hop: 192.168.101.254/32

I believe what is occurring is that the firewall does not recognize the traffic from the additional addresses or VLANs once it hits the firewall. So therefore does not reach a WWW address. The Cisco port is trunked to SG230. All VLAN traffic via trunk port to UTM, seems to not understand if a 102, 103, 104 subnet.

So, my question is and can provide more information. What do I need to enable/configure on the firewall to allow the UTM to recognize and route the VLAN endpoints through the firewall? Is there a interface setting I am missing to allow additional VLANs (102, 103, and 104) to use eth0 (Internal Interface) to route these to Internet?

I have tried configuring firewall rules, to troubleshoot and open traffic, example rule to allow Interface VLAN103-Any-Any rules and nothing. There are already many rules containing these VLANs or additional networks and UTM just doesn't seem to be configured to handle this.

I have been over the Cisco configuration with Cisco support three times now and configuration and L3 routing is configured properly. So, where and what can I do to allow more than the default VLAN to have traffic accepted and routed by SG230?

Thanks in advance,

Joel  



This thread was automatically locked due to age.
Parents
  • Hi Joel,

    Before reading through the complete question, you need to change the VLAN1 tag on this configuration as VLAN1 is reserved in UTM.

    Let me know if that change resolves the issue.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Sachingurung,

     

    Are you suggesting that I change the current internal interface to a VLAN interface?

     

    https://community.sophos.com/kb/en-us/118999

     

    This makes sense, however has not been needed until update to 9.407-3. It was all working fine before this update.

     

    The port to firewall/UTM is trunked and ALL traffic (VLAN102, 103, and 104 was) is being passed by VLAN 1 and was making it out to WWW. So, this is why I am asking for further details. Also, since it seems I can only make one VLAN per interface, this seems a bit...retarded for SG230. Thinking it should be able to route more than one VLAN on a interface. 

    So, any further information would be helpful.

    Thanks,

     

    Joel

Reply
  • Sachingurung,

     

    Are you suggesting that I change the current internal interface to a VLAN interface?

     

    https://community.sophos.com/kb/en-us/118999

     

    This makes sense, however has not been needed until update to 9.407-3. It was all working fine before this update.

     

    The port to firewall/UTM is trunked and ALL traffic (VLAN102, 103, and 104 was) is being passed by VLAN 1 and was making it out to WWW. So, this is why I am asking for further details. Also, since it seems I can only make one VLAN per interface, this seems a bit...retarded for SG230. Thinking it should be able to route more than one VLAN on a interface. 

    So, any further information would be helpful.

    Thanks,

     

    Joel

Children
  • if i understand all correct you have to do following steps:

     

    1. define your lan interface as routing interface (eg. 192.168.200.0/24) and give your utm an ip (eg. 192.168.200.254)

    2. your vlans on l3 switch will have one default gateway, the ip of the routing lan (192.168.200.254) so your l3 switch will route all traffic he cant be handled to your utm.

    3. define on the utm the network definitions for your vlans (ega. vlan102 (IP subnet 192.168.10.0/24) vlan103 (IP Subnet 192.168.20.0/24) and create your rules (network, masquerades etc.)

    4. create a gateway route on the utm for each vlan you have and point it to the interface ips of your vlans on the l3 switch.

     

    now all have to work.


    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)