This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practice Configuration for UTM VM with multiple internal LAN connections

Hello all, I'm new to both these forums and Sophos UTM so please point me in the right direction if this is not the best place for this post.

We currently have a UTM 9 virtual appliance running on vSphere 5.5 with two NICs attached to the VM - 1 WAN and 1 LAN.  The LAN is a typical VMX3 connection which is configured for a specific internal VLAN via vCenter. (eg. VLAN 100 / 192.168.1.0/24)

I have the need to add an additional 'DMZ' network and was thinking of the following configuration:

  • New private VLAN for DMZ network (eg. VLAN 200 / 192.168.2.0/24)
  • Add a third NIC to the VM, bound to the VLAN 200 network
  • Using the UTM interface, provision the additional interface with an appropriate IP address
  • Add rules and policies

I have added the VMDMZNetwork in vSphere and tagged it to the necessary VLAN and added a third NIC to the virtual appliance linked to the VMDMZNetwork.

What I'm expecting to happen is that the machine will see the additional interface as a physical interface and let me configure this as a type Ethernet, assign an IP address and a way I go.  Currently though, from the UTM 9 console, the Hardware tab only shows teh WAN and LAN interfaces I already have.

  1. Is there something else I need to do at the VM level for it to detect this new interface?
  2. Is this the best practice way of going about adding an additional 'leg' to my UTM?

Any help greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hi, Peter, and welcome to the UTM COmmunity!

    If I understand what you want to do, I think you don't need an additional virtual NIC.  You already have defined an Interface with type "Ethernet VLAN" for your LAN on one NIC, why not just add an Interface of the same type in WebAdmin for the DMZ on the same NIC?

    If you do want to use the additional NIC and it's VMXNET3 like the first two, then you just need to reboot the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Peter, and welcome to the UTM COmmunity!

    If I understand what you want to do, I think you don't need an additional virtual NIC.  You already have defined an Interface with type "Ethernet VLAN" for your LAN on one NIC, why not just add an Interface of the same type in WebAdmin for the DMZ on the same NIC?

    If you do want to use the additional NIC and it's VMXNET3 like the first two, then you just need to reboot the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob and thank you for your response.

    The current interface that is defined is just "Ethernet", not "Ethernet VLAN"; from what I understand, the VMWare side of things is handling the VLAN tagging on that NIC.

    If it is a simple reboot then I surmised as much - will sort out an outage window and try a reboot.  I was actually hoping that the UTM would auto-detect an additional hot-add NIC or perhaps there was some command to run within the console to detect NIC changes.

    Cheers,

    Peter

    --

  • There's no such command or hot-add capability - definitely not plug-n-play.  If you want to add a NIC of a different type, you must reload from ISO in order for the VM to even have a driver for it.  You might want to add another NIC now just as a precaution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA