This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How should I set up UTM for dhcp to fixed ip devices

My first post on this Community so I hope I am in the right place.  Please forgive me and tell me where I should post if I am in wrong place.  I am not a network engineer so at bottom of learning curve.

I have subnets created on sg135 UTM with DHCP on the device.  I have excluded the first 20 addresses of the subnet because a number of the devices on the subnet use fixed IPs.  I am having trouble with DNS on these devices and think my configuration is not quite correct.  How should I define the fixed IPs in the UTM so that these fixed IP devices to ensure dns is working.  I do not have a DNS on my client devices.



This thread was automatically locked due to age.
Parents
  • Hi

    A very warm welcome to the UTM forum! :-)

    UTM DNS settings:

    Firstly, I assume that you are using UTM as your DNS forwarder, similar to what's shown below (either that, or you have simply ticked that 'Use forwarders assigned by ISP' box and have no hosts listed in the DNS forwarders field).

    Firstly, lets look DHCP served devices with MAC IP binding set in UTM:

    I now only use DHCP for the devices on my network, however, for anything other than devices on my guest network, I use MAC/IP bound addresses for absolutely everything else and these are set by adding host entries in UTM's 'Network Definitions' list (as shown below screenshot, with the details of the printer one being expanded to show its contents).

    Incidentally, I set all of my MAC/IP bound addresses to reside outside of the DHCP pools, leaving the pools only for unbound DHCP devices, temporarily visiting these subnets (so I only require a very small pool of addresses on each subnet).

    Now lets look at static addresses set up in the devices, themselves:

    The top entry in my first image (the ADSL one) is somewhat different to the rest as it is not a MAC/IP bound static address, but instead an address defined within the external device, itself (it is actually my ISP provided router's LAN address; its LAN port is connected to the WAN side of my UTM box as I am using a double-NAT system). As you can see the 'adsl' device is also defined in the hosts list and that means I can use http://adsl. to access the router's configuration pages (as opposed to typing 192.188.6.1), even though it is not a host with MAC/IP binding set up in the UTM, and as you can see below, it is a very similar entry to that of my printer, but in the below case it doesn't have a MAC address populated in the MAC field and the DHCP server is not enabled for that device.

     i

    Footnote:

    Incidentally, I also have DNAT rules to ensure a device on the network cannot look elsewhere for DNS (in case it's been compromised and set to access a nefarious DNS server). If it tries to look up something other than the UTM itself, it is simply redirected back to the UTM's network address (so in fact, if setting static addresses in any device, I can type any old rubbish for the DNS and it will get redirected to the UTM DNS server address; doing exactly that was how I tested it to see if it was working). :-) Of course, if a browser was using all this newfangled DNS over HTTPS stuff, that would of course defeat these re-directs.

    I hope I've covered most things in the above (and I hope it makes sense) but please do ask if anything needs further clarification and I'll respond to the best of my abilities (which aren't actually that extensive, but to make up for that embarrassing void in my own knowledge, I'll at least add additional fancy mages). :-)

    Kindest regards,

    Briain

  • PS Sorry about all the edits; I started with a brief reply, then I decided to expand it (and after doing so, it clearly required rearranging to make it less of a muddled mess). :-)

Reply Children
  • Hi Brian,

    Many thanks for your replies and taking the time to set it all out clearly.  I am busy on other work right now but will go through your post over the next couple of days and get back to you.

    I suspect my configuration needs some tweaking and I also need to get the Vlan 1 management set up correctly so I can access all devices on different subnets for control purposes.  The fixed IPs have been inherited from older firewall device before I installed managed switches and I have much to do!!!

    Thanks again,

    Budgie2    

  • Hi

    Just in case it helps, below shows a few examples from my own set of inter-VLAN rules.

    Rule 9 permits a few devices to access my native LAN, as well as three subnets that I have pre-configured for testing things (192,168.0 and 1).

    Rule 10 permits the heartbeats from my Ubiquiti WAP to access a Raspberry Pi that sits on its own VLAN (its own as it also receives heartbeats from other sites).

    Rule 11 facilitates access to a single device (another Raspberry Pi that also sits on its own subnetwork as it's also exposed to the Internet, but this time it sits behind the WAF; as that it the most vulnerable device, that rule is only toggled on for SSHing into and updating the Pi). When toggled on, that rule also permits access to an entire subnet (the one I have for my TV, Sky+ box and Roku, etc). I should really split that into two separate rules, but I seldom need it, so I bundled them together, just to shorten the list of rules by one. :-)

    Rule 12 isn't an inter-VLAN rule (I over-shot when taking the screen shot; oops) but that's what lets the above mentioned Pi to apt from its repositories.

    Kind regards,

    Briain

  • Hi Briain,

    Many thanks for your posts and details on your configuration.  My problem is my own ignorance and trying to relate to what you have done with my own arrangements.  I think I should really start at the beginning since I have something working at present, albeit flawed and it may not be appropriate just to try and copy your arrangements as my site requirements may be quite different.

    My connected devices have been given fixed IPs on their respective devices and were divided between three subnets for separation and privacy reasons.  These three subnets were first created on my old firewall device which reserved the first 20 addresses for the fixed devices on each subnet and served DHCP addresses to any other devices connecting to their respective subnets. 

    I had to install the Sophos UTM when the original firewall died and these three subnets were set up on three ports on the Sophos UTM so that I could just plug in the new firewall and keep going.  No other configuration changes were made. 

    My next requirement was to expand the network and this required a bridge between buildings.  I had to use vlans to split the subnets over the bridge.  I added a managed switch at each end of the bridge and then used dumb switch hubs for each subnet as required.  Very simple.  As the network grew I used vlans to connect APs with multiple SSID devices.

    I have no DNS server on my machines and do not have hosts set up.  I do not use windoze on any of my machines. I have little experience with setting up SSH passwords etc. and I do not have vlans defined in the Sophos device but only on the managed switches.  I do not have the management vlan 1 set up on Sophos.  As you can tell I am a hopeless case! and the question is where to start.  

    I think the most critical issue first is to get the management vlan working correctly so that I can access vlan enabled devices and through Sophos device the fixed IP devices on the three subnets.   I am doing plenty of reading at present and if you have a good simple guide you can suggest it would be appreciated.

    Many thanks for your time.

    Budgie2

  • Hi

    Sorry, from your first question I was assuming it was a new installation (with UTM in transparent mode and connected in the form of a 'router on a stick') but I now understand that you're inserting UTM (perhaps using it in standard mode) into an existing and more complex network, so that will make it a lot more tricky for anyone to get their head around (without a detailed diagram with things like subnets and machine configurations defined).

    One quick thought is that I am slightly unsure what you are doing for DNS. When you state 'I have no DNS server on my machines and do not have hosts set up' I assume that you mean you don't have a dedicated DNS server sitting on the network (and that you haven't configured any hosts in UTM network definitions section) so I'm wondering if you were intending to use UTM as the network DNS server (i.e. by configuring it similarly to what I showed in my first post then pointing all the machines to it for DNS lookups) or whether the machines set with static addresses have been configured to look directly at a public DNS service? I note your mention of no Windows machines being present, so assuming that you're using Linux machines, perhaps running cat /etc/resolv.conf on the machines with static addresses (and indeed also on one of the DHCP machines) might be a useful test to find out exactly where all the machines are attempting to seek DNS information.

    Perhaps it would be a great opportunity to draw it all out, then see if you can do a minimal hassle alteration of things to suit what you'd ideally like the end network to be (as you say, starting with the management LAN, then sort everything else after that)? Personally, I really dislike having static addresses set in devices (people used to frequently bring me an errant NAS to be checked, but many had been set with static addresses and the owners had no idea what their subnet was, never mind the NAS's address) so ever since these days, I always configured folks' networks with everything set as DHCP and I used MAC/IP binding for any items that needed a fixed address, not only can everything be administered from one place (e.g. if changing preferred DNS server, it only has to be done in the router then everything rebooted) but it meant that they had all the benefits of static addresses being set, but that when temporarily moving a device to a new network (or to my test network) it still worked, all be it with just a DHCP address on the temporary network. Of course, with a more complex network (managed switches peppered about) it might make sense to make some of them static (on the management LAN) then to have everything else DHCP for ease of future changing?

    The more I ponder it, the more I think it might indeed be a good time design where you'd ideally want to end up (on a very large sheet of paper; hey, I'm old school) then to see how best to end up there?

    Kind regards,

    Briain :-)

  • I have just typed a long explanation and it has evaporated mid sentence so again and in short, we have a very small hospitality business with furnished holiday lets, B&B and restaurant.  Until recently we had an internet connection restricted by distance and geography to not much better than carrier pidgeon.  We now have a commercial wifi connection across the valley with 40Mb/s.  Not in the fibre categority but at least working OK so we can offer some streaming and decent video capacity.  This has necessitated a radical upgrade from the rather simple network and that is where I came in.

    I am very appreciative of all your posts and understand I am not  seeking a quick fix but rather, with your help, laying a good foundation based on sound best practice for our future development.

    I had many drawings and sketches from the past but things have moved in leaps and bound since I found I needed vlans and started at the bottom of the learning curve once more.

    My existing arrangements are flawed but working after a fashion; I now have SSIDs for three different vlans across the site with various levels of restrictions and security pending my learning how to manage ACLs.  The site is quite small so I am hoping I can achieve roaming with the present handful of APs but now I need to focus on the management of the network and make use of "vlan1" so that I can access all devices from the one console.  My nervousness is making changes that lock me out even from my present setup.  After that I will need to set up a couple of additional subnets for EPOS and card payments systems so that these are isolated from everything else and also the back of house functions which need to be secure.

    I have probably rambled on a bit but this is where I am at and all further advice is much appreciated.  meanwhile I will try and create the picture on a larger sheet of paper.

    Regards,

    Budgie2

          

  • Hi

    My suggestion was really just based on my own hassle when trying to sort out an existing network that had been evolved (by others) over the years. I ended up changing things and having unexpected problems to resolve, so in the end, I took a sheet of A3 and designed it from scratch, then that way I ended up with what I wanted, and more critically, with a clearer picture of the architecture and thus no unexpected surprises. One of the key things that I did was to first remove static settings from everything and instead set them as DHCP boxes, so when I eventually slotted the new network together (which had MAC/IP bindings set) it was a simple matter of unplugging devices (from the network) and reconnecting them, so they then got their new (and where appropriate, MAC/IP bound) addresses, so it meant I wasn't rushing about reconfiguring devices that had been knocked off the network.

    I am still puzzled at your original issue with DNS on static addressed devices and assuming that these units are Linux boxes (you mentioned no Windows, but not what you are dealing with) what cat /etc/resolv.conf shows as being their DNS setting. I am not a Mac person, but one assumes the same command line trick would work with them, too.

    The VLAN networks I've built have all been router on a stick type architecture and L2 managed switches (which means the switches were nice and quick to configure) and in that case, I used an untagged LAN for the management (so only for the switches and WAPs, themselves) and everything else was scattered across VLANs 'linked' to SSIDs. I have used that sort of scheme in small business networks with a Draytek router, D-Link switches and Ubiquiti WAPs and several subnets (e.g. one for the office staff, one for the PoS PCs + card machines and one for the public Wi-Fi, with the latter network also isolating wireless devices from each other). I do have a network diagram for one of these networks, but I'll have to see if it can be easily anonymised before posting it here.

    My home network is of a similar architecture and with me using Sophos UTM here, it is trivial to create rules whereby my laptop can (when sitting on my 'private' VLAN) access devices on the management LAN (in fact, that is done by rule 9 in the screenshot that I posted) so I never have a need to actually connect my laptop to the management LAN (and though that is the one the WAPs are on, the management LAN is not extended to a SSID; I leave it only for the infrastructure devices). Of course, I don't need bags of traffic traversing VLANs, so that's why the router on a stick architecture works well for me (as well as making the switch configuration easier, of course; I am an amateur, not a professionally trained network guru). :-)

    I'm very sorry, but I can't really get heavily involved in helping you redesign a complete network via forum posts (and I'm not qualified to do so) and it would also get a lot trickier if you're using L3 switches (rather than the simple router on a stick and L2 switch type networks that I build and use) but I can perhaps help with any quick questions like suggesting how to investigate that DNS problem and answering questions about basic UTM settings, or the likes.

    All the best,

    Briain

  • Hi

    I've done this for a few customers, so I've just anonymised one of these diagrams (redacting customer names and SSID names, etc) in this case to show a customer and site manager (who are both very intelligent, but not technical people) what I was proposing to build for them (and explain why this was needed for security reasons). As you can see, it is another so called 'router on a stick' design necessitating only a L2 managed switch (I chose the D-Link after a conversation with a WISP who'd used them at several USA hill-top sites and liked their reliability and ease of configuration, so what with that and with their low price, they were also ideal for the sorts of customers that I have).

    After actually building it, I then created spreadsheets with more granular information (switch port details) and even screen dumps of key router settings pages, so it all formed a useful handbook for anyone who might to work on it should I not be available, going forwards. The plan was also very useful for myself when initially building it, as even though it is a relatively simple network, trying to picture it all in your head whilst configuring it can be quite tedious (and mistakes can be made when doing it that way, particularly when I'm involved). My own network is of a similar architecture, but I have more VLANs (and I use the UTM's WAF feature to reverse proxy a Raspberry Pi web server) so it is a little more complex. I haven't created diagrams for my own network as nobody else will ever have to work on it (if I get run over by a steam roller, it'll likely all just end up in a skip).

    I was suggesting that it might be useful to go through a similar exercise for the network that you wish to sort out as it'll make it a lot easier to do so on the day (less chance of prolonged outages whilst trying to figure out why something isn't working as it should and someone hassling you cause they can't get any work done; trust me, I know from experience that there is nothing worse than that, and particularly so if it happens to the point of sale machine and thus the money can't be taken in). :-)

    Kind regards and happy designing.

    Briain

    NB Yes, the Sonos bridge looks illogical, but it feeds something that's not shown on the diagram (there are a few Sonos units at that site) but the idea of showing it is not to scrutinise the contents, but to give you an idea of the form of network 'plan on a page' diagram that I was suggesting might help (then also help plan how to get there with least disruption, on the day).

  • Hi Briain,

    Thought  the diagram brilliant and must find out what graphics program you use.  Also your diagram made sense to me and I am working on this, in between other Covid related stuff which sadly has priority, much to my regret, so please forgive if my conversation is not as fluent as you might wish.

    I mentioned DNS earlier and since I now a problem has come up I will start there with your first picture.  Network Services > DNS > Global I presently have 4 networks shown and all have subnets defined as I expect.

    The Forwarders tab has nothing in it and the tick box is highlighted to use forwarders assigned by ISP which address is shown as 192.168.1.1 which I believe comes from my router provided and I have no access to the settings for that device.  The address is clearly not directly from the ISP.

     
     
     

    (Sorry about the box above which I cannot remove!)  I believe my Sophos settings are OK for the time being as I have not touched them.  The three subnets I am using all work as expected for the PCs in use as do the printers but I have not configured the management subnet and Vlan 1 and this should be examined. 

    Where I am in difficult is with the WiFi as I have upgraded all the AP devices and have been trying to get SSID/Vlan assignments to work correctly.  Strangely one works as required but others do not with failing to get IP when I try and log in to the required SSID. I fear the problem is not just with the absence of correct configuration of the Management network but also with the configuration of the L2 switches and how I should access the AP devices from my own PC or laptop which are both on one subnet along with the static IP addresses of all the APs.

    Where would be a good place to start??? 

     

     

  • Hi

    I do have a (headless) Windows 10 machine (one of these small fan-less chaps obtained via Aliexpress; it's actually a very nicely built piece of kit and it was a very nice price, too) and the only reasons I have it are for 3 pieces of Windows only software that I occasionally require (and I just use RealVNC to access it from my Linux laptop) with one of these being PaintShop Pro (which was what I used to create the above plan on a page diagram). I'm not saying that PSP is anything special, but I have been using PSP for a very long time (since not long after it came out, in fact) and I just haven't yet taken the time to learn how to better drive GIMP. That said, I recently discovered Kolourpaint (in the Debian repository) and that's just been great for things like quickly redacting text from a screen dump, or the likes (that was what I used to redact - via the rectangles - the SSIDs and other customer identifying information from that network map image).

    Back on topic and yes, with that 'use ISP forwarders' box ticked you don't need any forwarders in that list. Had you a modem affront the UTM box, you would indeed get the ISP ones, but as you have a NAT router affront UTM, it sees that as being your ISP, thus the 192.168.1.1. So that means DNS lookups will be whatever the router's set to use, and as you say, with many ISP provided routers, you have no choice other than to use the ISP configured DNS servers as there isn't any field brought out to the GUI in which you can change them (I have only seen that once in an ISP router).

    That said, I am currently running a similar system whereby I am using an ISP router in front of UTM, however, I have populated my own choice of forwarders in UTM, so that effectively overrides the settings in the ISP router.That said, it is not a guarantee that you can bypass the ISP's DNS servers as it is possible for them to use transparent DNS proxies to force you to use their servers (I'm not aware of anyone who does that, but allegedly it does happen). See the description and diagram at https://www.dnsleaktest.com/ and that'll explain what that's all about (and you can test for it at that site, too).

    Another interesting DNS test resource can be found here, https://www.grc.com/dns/dns.htm and again, there's a good description of what's happening with the test at that page.

    Incidentally, for my own forwarders I used to use IBM's Quad 9 (9.9.9.9), then I used Cloudflare (1.1.1.1 and 1.0.0.1) and I'm now using Cloudflares latest offerings (which block access to known malware sites) of 1.1.1.2 and 1.0.0.2. Just in case it helps, below shows the settings 'opened up' for one of them.

    I used to have both in a group, but interestingly, a few weeks ago there was an issue with 1.1.1.1 (but not 1.0.0.1) and for some reason, it didn't use the second choice. I suspect that was because the group was resolved as being 1.1.1.1 and I meant to post here about that issue in case it was a UTM bug, but I never got around to doing so; that's why I now have two single entries and not a network group bundling them together (which is, I think, perhaps how you are meant to do it, but I could be incorrect about that).

    I'm not clear how you have it set up, but I know one can run into difficulties when trying to use a VLAN as the management LAN. My advice would be to create an untagged management LAN (so the devices attached to it, which should only be the switches and WAPs, etc) can easily get their network configurations (AKA DHCP settings) then create VLANs for all the other groups of devices. If you look at that diagram you'll see just that sort of arrangement (the trunk contains one LAN and three VLANs) whereby the management LAN is not tagged and I do not extend it out to a wireless network (thus no SSID associated with that subnet) as the management LAN should be reserved solely for the core network appliances, themselves (i.e. for inter-VLAN security reasons, you should only have your infrastructure devices sitting on the management LAN, other than for when you need to configure it, of course). So yes, you could either configure it by hooking your laptop into an access port configured to being the management LAN on your managed switch, or as you are using UTM, it is so easy to create an inter-VLAN rule (as per my first post) that that is another way to permit your laptop access to the management LAN.

    For the network show in my plan on a page, I opted not to create an inter-VLAN rule and I instead just hook my laptop onto the management LAN when I need to visit them and re-configure anything (see orange text at bottom left corner of that same diagram) but that was mainly because it's a bit more faff to set up inter-VLAN rules in a Draytek and for the amount of occasions that I need to visit and work on their network (i.e. very infrequently) I decided it made better sense to have no rules set up in the Drytek (less is always more, IMHO; less complex configuration could mean slightly less chance of any future firmware bug causing any problems). Of course, if I was using UTM at that site, I would instead do it via creating an inter-VLAN rule (and just for http, https and SSH access).

    So yes, you could access all the WAPs and switch settings by simply hooking your machine up to the management LAN, but don't have any other computers siting on the management LAN and for normal use of your own laptop (i.e. when you're not configuring stuff) it's good practice (for security reasons) to revert to instead using on one of the VLANs.

    Bri

  • Dear Briain,

    First the good news, my problem was caused by the man who installed the Sophos device in the first place.  A small error in his configuration of one subnet, which was only just discovered by me now as I am starting to use the Sophos in earnest.  Now sorted and all is working reasonably well but needs improvement and hardening.

    Having studied your splendid diagram in some detail, I find there is an uncanny similarity between our two systems.  The only difference is that you use Sonos and I use Linn renderers for audio and RPi type device (Vero 4K+) for video with media stored on a NAS box.  We even have a wireless bridge between two buildings with Trunk carrying three subnets across and card machines and Epos system.  I very much appreciate that you are more knowledgable and experienced than me but take comfort in this and value your posts.

    I need to digest the above further.  By way of further info I am using EnGenius WAPs here as they are readily available and have good support for multiple SSIDs.  I have three SSIDs set up and linked to three VLans, only one of which is for guests with L2 separation.  The other two do not have L2 separation but are supposed to be private.  Having noted your comments I think I may need to review my plan because my needs at the detailed level do require management being able to access business back of house data from phone.  I shall get back to you when I have had a chance to think.

    Regards,

    Budge