Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 8393 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to set up VLANs - terminology and process

BJohnson

Hello,

I'm sure this will be very simple once I understand Sophos nomenclature, but until then I'm dead in the water.

I have a very simple network setup - the Sophos UTM SG115w provides DHCP, DNS and Layer 3 routing, and a managed Cisco SG300 in layer 2 mode handles the traffic.  VLANs are assigned on the SG300 by port.

I want to setup 8 VLANs in the Sophos, including the default untagged VLAN.  Unfortunately, I already designated the desired gateway for the default VLAN as the default gateway that was AUTO CREATED DURING INSTALLATION, so it might as well be... I don't know, but it's not usable.

I started by creating a new Ethernet VLAN interface called Printers.Scanners, assigned it to interface eth0, tagged as VLAN 15, with an IP address of 1.2.3.1 and a netmask of 255.255.255.240.  Then, I go to DHCP and create a new scope, assign it to interface Printers.Scanners, and it auto-populates with an IP range from 1.2.3.1 to 1.2.3.14, with a DNS and gateway of 1.2.3.1!

Now, I know that if I want the gateway to be static, the range needs to start with .2.  So why does the Sophos start with .1?  When I go to Network Definitions, however, the scope has been "treated" properly - there are 3 entries for Printers.Scanners, address 1.2.3.1, broadcast 1.2.3.15 and network 1.2.3.0/28.  When I create the Ethernet VLAN interface, should I be checking the default GW box and listing the .1 address as the default gateway?  Because the DHCP scope automatically lists the .1 address as the default gateway and the DNS server, but the explanation for checking the default GW box in the Ethernet VLAN interface settings seems to indicate that the default GW only applies to the AUTO CREATED DURING INSTALLATION gateway.

5 of the VLANs are wireless - 4 will use the SG115 and 1 will use an non-Sophos access point.  I know that I need to bridge those 4 wireless interfaces to the default interface, eth0, but if I can't understand how to set up the wired VLANs, it's probably not a good idea to setup the bridges just yet.

Also, I'd like to aggregate eth2 with eth0 to increase LAN bandwidth, but that seems unwise as well.  Lastly, I'll be converting the HA port, eth3, to a backup WAN port.

Neither the knowledge base nor the internet explains this in a way that's understandable, and I've been on hold with customer support for over 2 hours on 3 different occasions without ever speaking to someone, so I'm lost.

Thanks in advance for your reply!



This thread was automatically locked due to age.
  • 0

    Not sure that I'll be much help but I'll throw in my 2c :)

    I have a similar setup.  SF300 running in layer 2 with a few VLANs configured.  Within Sophos, you're doing the correct thing which is to create those Ethernet VLANs and tag the VLAN number and I've never (yet I guess) run into a situation where you want to check that IPv4 Default Gateway box.  I believe doing so is going to get you into the world of Multipath Rules.

    Also the gateway doesn't have to be .1, in reality it could be anything.  Mine started as 172.30.1.1 as I was using a Cisco Catalyst 3560G doing the routing and UTM at 172.30.1.2.  I've ripped that out and now 172.30.1.2 is my default gateway.  The key here is whatever IP address you enter when creating the VLAN Interface becomes the default gateway for that VLAN and Sophos will handle the routing for you when you create a DHCP scope.

    I hope that helps, if not I apologize [:)]

  • 0

    Hi, and welcome to the UTM Community!

    If Wayne's comment didn't help you solve your problem, please insert a picture of your 'Interfaces' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to WayneBoyles

    Hello Wayne,

    Thank you for the suggestion.  My apologies if this is a double post; I responded yesterday but don't see it here.

    You are absolutely correct, the only time Default Gateway comes into play is with WAN interfaces.

    It's curious to me that the UTM includes the gateway in the DHCP scope when auto-populating the interface IP range, but I just changed the range to start with .2 and everything is fine.  That does seem to preclude assigning a static IP to the gateway since it will be outside the scope, but I can explore that later.

    It turns out the the UTM is VLAN-aware, but cannot assign VLAN tags itself.  However, it will respond to the VLAN tag from the SG300 by assigning IPs from the scope assigned to that tag.

    Cheers,

    Brian

  • 0 in reply to BAlfson

    Thanks, Bob.  The overall issue was that I was attempting to do something that can't be done - assign a VLAN-type interface to a WLAN network.  I've learned that the virtual SSID interfaces function as virtual LANs.

Unfiltered HTML