Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 7 subscribers
  • Views 20006 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 and layer 3 switch, what's the best way of doing it

Andrea Peccerillo

Hi everyone, i've been using Sophos UTM 9 and my L3 switch (dlink dgs 1510)  that i only bought for connecting my workstation to my nas via 10Gbit SFP+.  Everything is working fine as my setup is very straight forward:

Sophos acts as a gateway, handles the dhcp of the network and gives the network internet access via the ISP modem

The Dlink switch didn't do any of what a L2 or L3 switches are made for as it was only used as a switch connecting all the devices of my network.

As I'm about to move in to a new house and as i wil be impementing a new server, video surveillance and ip phones to the network I decided to dig deeper and did some research.

 

Here is what I think my new setup will be like_

VLAN 1 Freenas, Workstations, Home wifi and so on

VLAN 10 Guest WIFI

VLAN 20 Video surveillance

VLAN 99 MGT

VLAN 150 ip phone

 

Sophos ---> Gateway and Firewall of the networ-->ISP modem-->Internet

Dlink switch ---> L3 Switch will handle VLANS  and the routing in case i wanted some vlans to communicate with each other

 

Now is this a good way of doing things?

Do I have to setup a trunk between the router and the switch?

Does the sophos have to be the gateway or it can just be a firewall and provide me VPN etc?

 

Thanks a lot for helping figureing it out



This thread was automatically locked due to age.
Parents
  • 0

    Optimizing a design requires an understanding of the design goals.

    As a home user, UTM is limited to 50 devices.   It will remember devices for a week.   If you have a lot of devices, or a lot of WiFi guests, then you will need some of those devices to bypass the UTM protection, and that would mean the switch is in front of the UTM.

    You proposed multiple VLANs, but did not explain why.  Generally there is nothing in a home network that requires multiple VLANs.

    Do you want full or partial security boundaries between the VLANs?   UTM is probably better at enforcing traffic rules than your switch, which is a reason why UTM might be the better router.

     

    Which devices have to be on the same LAN/VLAN?   For example, ChromeCast needs to be on the same WiFi as the phones which activate it.   If you want guests to control your ChromeCast, then it needs to be on your Guest WiFi.   If not, then it can be on your home WiFi.

    Will your home phones need to be on the same LAN/VLAN as your laptops and desktops?  If not, should they be isolated on a separate VLAN from the computers?   In my house, we have one device with our financials and our photo library, so it needs the most protection.   

    Overall, your security goals and the 50-device technical constraint are the most important considerations, and that depends on what you want.

  • 0 in reply to DouglasFoster

    I could definitely run everything on the same LAN/VLAN as I've always done. I am a home user which just happens to like playing with computers, networks.

    There is not a real need for me for making it this complicated , I just want to learn and understand how to do it.

    I decided to split the network into multiple vlans for several reasons:

    _ Give internet access to my aunt's flat without her being able to access my freenas box and sucking all the bandwith 

    _ Isolating video surveillance server and Ip cameras

    _ Isolating freenas box which is connected either with sfp+ and via lagg on a different vlan for media streaming 

    _ Expand the network to my garage where I will install shortly a small managed switch and I want to carry there the vlans 

    _ Expand the network to a small depandance I will be building at some point next year in the garden and I will be having guest staying there (they'll have internet access, media access to plex but i don't want them to access ip cameras, freenas shares and so on)

    _ Learning how to do all the above

     

    For now I just made ISP router-->Sophos UTM 9-->Dlink DGS 1510 work with vlans, dhcp and internet access. I now want to isolate vlans with only few exceptions but keep internet access to every vlan, then i'd love to manage bandwith (im talinkg about internet bandwith) to some vlans I will be using for guests. For example i don't want my guests use all the bandwith if they are streaming a netflix movie.

    I am sorry if I sound approximate on some topics, and maybe I cant really make myself clear, this is not my job, but I just love it a lot as a hobby and I always want to know more.

     

     

  • 0 in reply to Andrea Peccerillo

    I meant no rebuke, so no need to apologize.   Since we are all geeks, our default answer will tend to be what appeals to us as technically elegant, or else what we consider technically feasible based on assumptions about your skill set.   Knowing your objectives helps us to propose better options for you.

    Experimenting is a good way to learn.   I have tried to post a bunch of tutorials in this forum because of my frustration with the things that I thought were missing from the documentation.  

    Hope it all pays off for you!

  • 0 in reply to DouglasFoster

    And i thank you all for that,

     

    I am now stuck again,

    trying to block traffic between vlans

     

    With the config I posted above i can ping vlan 40 pcs, from vlan 10 and I am trying to block it. In the firewall rule I have vlan10(network)-->any-->any, if i try vlan10(network)-->any-->wan(network) It doesnt work, or if I try vlan10-->any-->any and then I add another rule vlan10-->any-->vlan40 block It doesn't seem to do anything, why is this happening? 

  • 0 in reply to Andrea Peccerillo

    You should remove the rule:

    vlan 10 => any => any = Allow

    or change it to:

    vlan 10 => any => internet IPv4 => allow

    Since you tried wan(network) you ONLY allow traffic to the subnet at your provider where also you own WAN-public address is in, that's just a really, really small portion of the internet most likely only consisting of other customers of your provider. By using Internet IPv4 you allow access to 0.0.0.0/0 which is all addresses reachable through an interface with a default gateway....

    Also you can put a rule like:

    vlan 10 => any => vlan 40 (network) => block (like you did, but this rule should be BEFORE any allow rule, because the firewall will evaluate rules from top to bottom and whenever a rule is matched it will use that rule and stop processing. So if you allow before you block, the allow will always win.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Andrea Peccerillo

    Ciao Andrea,

    Also see #2 in Rulz concerning pinging.  Another issue might be the way you have Web Filtering configured.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to apijnappels

    thank you very much I now did what i needed, It was very simple, also made intervlan routing work. Thank you!

Reply Children
No Data
Unfiltered HTML