having just tried a test swap over to our new UTM that i thought i'd set up correctly, I've now (having looked on here) found that un-tagged VLAN's aren't supported by the UTM.
So i'm hoping you can help me configure it right for the next trial run... tonight.
We have our VoIP on one VLAN (10) and our data on VLAN (20), these are all on untagged ports on our managed switches.
I had the main LAN port (eth0) on the UTM set up for the Data subnet (but with no VLAN config/tagging) and plugged it into an untagged VLAN 20 port on the switch... but i got nothing. To be expected it would appear.
So my plan is... to tag(VLAN 20) on the eth0 port for the UTM and the other end of that cable on the switch, but to leave all other ports on this VLAN (the rest of our domain network) untagged on this VLAN (20). Will this work?
- if so, then do i need to configure the main eth0 port to be a VLAN port instead of a fixed port? - do i need both ends of a tagged connection to be tagged? the UTM eth port and the switch port?... or just one end?
- and what are the ramifications of accessing the UTM via the network or wifi, the moment i click apply to this change? I really dont want to cut myself off from the UTM (although i'll obviously have backups)
Also, i plan to configure eth7 on the UTM for VoIP VLAN(10) and i guess this will also need to be tagged?
- is there any other configurations i need to consider for this VLAN to allow it out onto the internet? i.e. routing/firewall rule changes etc
Hope that all makes sense :-) Lots of Q's but i hope there'll be answered easily together so its not too bad...
You should be able to just use normal (not VLAN) interfaces with untagged switch ports. Especially if you have "spare" interfaces on the UTM there really is no advantage in using VLAN-interface. You would only need a VLAN-interface if you don't have enough physical interfaces to host all the VLAN's you use in your network. You are then of course sharing bandwith over multiple VLAN's. The only other instance for using VLAN's would be if you'd also aggregate multiple ports to one logical port. You would have a higher total bandwidth as well as a redundant connection.
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Just changed our internal LAN from "Ethernet static" to "Etehernet VLAN" two weeks ago, and did it many times before.
After you have configured your UTM, you have to adjust your switch config to be able to access the UTM again (you have to be in the correct VLAN). If you have free ports you simply can create a temporary static address and allow WebAdmin from it as a fallback if you want.
A common setup looks like this:
UTM eth0 (VLAN 10 & 20) Switch VoIP Phone (VLAN 10) Computer
UTM: eth0.10 (VLAN ID 10) / eth0.20 (VLAN ID 20)
Switch: Port to UTM has to be tagged with VLAN ID 10 & 20, Ports to Phones/PCs tagged for VLAN ID 10 and untagged for VLAN ID 20
Phones: Set up to tag packages with VLAN ID 10
Computers: No VLAN configuration/tagging required, because it is tagged by the switch automatically
Thank both of you, thats confirmed what i thought, realy appreciate the input. Althought apijnappels, you mentioned that it should work on untagged ports? This is what i thought was my problem though... i.e. it was because i had untagged ports on a VLAN that i tried to connect to the UTM, that traffic didnt pass...? If i plug these same ports (of the UTM) into an unmanaged switch, traffic passes no problems. Just curious :-)
I'm going to try it on one of the spare ports on the UTM and a spare switch port and see how i get on... Once this is confirmed as working, I'm going to try and aggregate the ports too, makes sense if they're spare.
thanks again. Really appreciating the level of (and speed of) input on this forum. Makes a BIG difference to that of the last FW we had.
You just have to make sure that, if you send out a tagged package out of a switch port, the device on the other side has to be configured to be able to receive it.
If the switchport is untagged (has no tagged VLANs), the UTM port has to be set to "Ethernet Static"
If the switchport is tagged, the UTM port has to be set to "Ethernet VLAN" with corresponding VLAN ID(s)
You simply have to tag all VLANs on the switch port the UTM is attached to and configure multiple "Ethernet VLAN" at the UTM side on the same ethX. (First change the UTM, then the switch config, or you may can't access the UTM to make the changes anymore...)
Quote