Real beginner here so need help. UTM was set up originally by somebody else who gave no instructions at all. I am feeling my way, hence this post.
I wish to change the subnet on the management interface eth0 from 192.168.0.1/24, what I assume is the default. I have not yet connected anything to that interface and started to edit it but found that this would disconnect me from the dhcp server and I assume dns. I have other ports being used on other subnets and thought that because I had nothing plugged into port 0 I could change it without compunction but it appears that this network is being used and indeed is the system management subnet.
It is clear I need some guidance here with the basics of how I can change this subnet without disconnecting everything and not being able to get back into the system.
I see that when I log in to the device I am using https://192.168.0.1:4444/ which I was told to use and makes sense now, so how may I change the management interface without making a real mess?
I have no information on the router configuration which lies above the UTM but can seek this information if needed.
Grateful for some help here please.
Thank you for contacting the Sophos Community.
If nothing is connected to eth0 then you can go to Interfaces & Routings >> Interfaces >> eth0 >> Edit and change the IP address from there.
Now if you have configured something, you would need to connect to the UTM using a different IP (192.168.0.1), if you only can access to the UTM on 192.168.0.1 please go to Management >> WebAdmin Settings >> General >> WebAdmin Access Configuration >> Allowed Networks and add the IP of a computer that is not in the 192.168.0.1 subnet. For example
Image eth3 is where I connect to the Web GUI, if I want to edit it, I would need to add the wlan0 (10.10.10.1/24) under the WebAdmin Access Configuration to be able to access using a computer on the 10.10.10.1 network and I would type https://10.10.10.1:4444
In any case before making any change, please take a backup of the configuration under Management >> Backup/Restore >> Create Backup >> Create Backup NOW and download the backup to your computer.
Many thanks Emmanuel, excellent answer and just what I needed. A couple of follow up questions for clarification;
You suggest that after changing the management port address I would need to go use a different address but have quoted the default 192.168.0.1. I assume I would use my new address to replace the default and that once I had changed the eth0 subnet that default would not be there. Is that correct or is the default fixed absolutely?
Thanks for getting me sorted out on backing up. Can I set up the UTM to save in a particular directory in future rather than "Downloads?"
If I make an absolute hash of things and can no longer access the UTM in order to upload a backup from my laptop, what then?
Finally in your screenshot on setting up the Allowed Networks I found it contained Any (0.0.0.0). Should I now remove that "Any" as it will be replaced by my other machines, once entered as appropriate.
Many thanks again for your help. You can see I am an absolute beginner but love the system and with your guidance and others no doubt I hope to get the system as it should be.
I am making slow progress and now have management subnet set up (using the default) and fixed devices connected to that subnet using vlans on L2 managed switch. This has created some new problems but I think due to how I have configured the switch but I now have connections between subnets that I didn't set up on the switch. Could it be that the UTM is an L3 device and will route between subnets unless I prevent it at the UTM?
If the Vlans are finishing in the UTM, the UTM will route between them. You would need to create Drop Firewall rules between the subnets to stop this.
Also, check this Community Post about traffic being allowed even a Firewall rule is in place. Check Rule #2https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz
Hi and thanks. So I now have four subnets set up on the UTM; Management, and three others, one in this case called HOME. The UTM ports are connected to ports on an L2 managed switch with vlans assigned to respectively. The WAP devices have been given fixed management addresses on the management subnet and on the WAPs and are connected to ports set up as Trunks on the L2 switch. I have set up SSIDs for each subnet on each of the working vlans, including my HOME subnet and temporarily an SSID on the management vlan for me to access the management subnet so I may configure WAP devices using wifi connection.
All the WAPs so connected seem to work OK in that logging in to each SSID gives me access to the WAN and if I log in to the management SSID I can access the control page of the WAPs.
My problem is that when logged into my HOME SSID, I cannot access my other devices which reside on my HOME network and when I look at the wifi on my phone I see it is connected to the management subnet, even though I logged in to the HOME SSID.
I have not set up any Vlans on the UTM. It appears that all the routing is taking place in the UTM and that I have work to do but it appears I should now erect a firewall between the subnets. I shall keep reading and will read the thread suggested but if you have time your further guidance would be appreciated.
Budgie2, (real beginner!)
OK so here is my problem, which may be more of a vlan/managed switch issue than UTM but here it is.
I have kept all tagging off the UTM so all switch ports connected to the UTM have memberships with port U (untagged).
I have created a management (say vlan 900) and web admin for access to the UTM from my private subnet workstation.
I have given all the fixed devices such as WiFi access ports and managed switches static IPs on the UTM management port subnet and and these are connected by trunk connection with membership tagged T.
I am unable to set up vlan 900 on the managed switch which is connected to the UTM management port. If I try the setting is refused.
What is correct way to set up this connection so that I am not locked out of either device and can access all the static devices on the Vlan900 management subnet? Can I do all the work within the managed switch or must I create a vlan on the management port of the UTM?
Hope I have explained?
Thank you for the follow-up.
Could you please take a screenshot of your interfaces?
Hi, here is my screenshot:-
Many thanks for your reply. I now have managed to change the default managed switch port to the correct vlan with the port set U_ntagged but now I suspect the switch can no longer get dhcp adresses from the UTM. I can connect to an spare port on correct vlan but using lan connection and can access all the devices because they have static IPs but seek your advice on the correct way to achieve connectivity from my main workstation which sits on another subnet on the switch.
I suspect there are many ways of doing what I want using UTM capability but your advice is really needed here. Thanks again for responding.
This is as far as I got and now need your advice on how I should access my management vlan!
So your Management interface and Management Vlan are in the same subnet, which will cause issues.
I would recommend you change either of these subnets so they don't overlap.
Maybe try 192.168.2.0/24 for the Management VLAN.
Hi and many thanks for the reply but you have left me very perplexed. I have used the UTM port 0 to connect to my management with dhcp provided by the UTM and the subnet which has all the relevant devices set with static addresses on that subnet and on the management vlan. If I use a different subnet for managing my devices how may I arrange dhcp for the management subnet?
Is there a guide for the correct way to set up the management subnet please.
Hi and many thanks for your earlier replies. I feel I have run into a wall here and this thread has dried up.
You have told me earlier how to change my management subnet on the UTM but now you have advised against using the same subnet for my other devices. Please could you tell me how I should reconcile this apparent conflict. All the other ports on my UTM are being used by other subnets.
Should I start a new thread?
Sorry, I forgot to answer.
The change I mentioned is because you shouldn't have an interface an a VLAN with the same subnet, routing will not work properly this way.
IF you really want to have a Management VLAN then this subnet has to be different than the interface subnet.
IF you don't want to change any subnet for your management VLAN, then you could configure the UTM to only allow access to certain computers, instead of changing your management subnet.
Hi Emmanuel, many thanks for the reply and for explaining the problem, even if I don't know enough to understand why! So if the requirement is to keep the UTM management subnet and the management subnet which I need to manage all my fixed devices, I think it would be much easier for me to change the UTM subnet than re-visit all the fixed devices. Is this a good idea or should I change my private management subnet?
I am not expert in these matters so please forgive my questions if they appear dumb but what is best way to set up my private management subnet? I have no spare UTM ports available to provide DNS and DHCP services so does that mean I must set up my own servers or can I work with only static addresses?
Many thanks for your help once more.
I see you have a Management Subnet and a Management VLAN.
I might be confused, I thought you had different devices in the Management VLAN and the Management Interface in the UTM, if that is not the case, you could change the IP of the interface in the UTM and leave the Management Vlan subnet and you should be fine.
OK so I can change the IP of the interface of the UTM but that means all my devices are on static IPs on their own subnet and there will be no dhcp on the management subnet. Is that OK and will I be able to access all the fixed devices other than the UTM? What if I wanted to add a new device using dhcp?
You should be able to access all of your fixed devices, you could create a DHCP in the UTM on the management VLAN.
I feel I am going round in circles because putting the fixed devices on a subnet which gets it's dhcp from the UTM management port is what I had initially except that I didn't have any vlans created on the UTM as all the vlans are created on the managed switch. As you can tell I am no longer sure what I am doing here. I have no idea how I can create a second subnet out of the management port of the UTM let alone set up a vlan on the UTM with dhcp.
What I have now is a subnet which has a bunch of fixed devices all with their management IPs set as static IPs on the same subnet. This subnet is the subnet which is created on the UTM and has DNS and DHCP set up on it. When in use I plug the management port of the managed switch into Port 0 of the UTM, for example when installing a new device or changing the SSID details on an AP etc. Once completed I unplug the UTM on the understanding that this will improve security.
If as I understand from your earlier post that there could be issues with this approach and that the management of the UTM should be on a different subnet then I need more detailed advice on how I should proceed please.
Might be better if you could provide a network diagram of your current configuration, so maybe seeing your network would help me understand a bit more your current setup.