This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAB-in-A-Box - Help with configuring UTM VM with multiple ESX vSwitch vLAN interfaces on the internal nic

Hello all,

Firstly, I would like thank the Sophos team for providing us with a free UTM Home edition - It is one of the best fully featured FW appliance that is free and I am so impressed by the drag and drop UI.

If possible I'm looking to expand the use of the UTM VM appliance to use the ESXi vSwitch Port Groups to create multiple VLANs to simulate typical DMZ scenarios as shown in the attached diagram.

 

Diagram updated : with the addition of eth2 (third interface) which now connects to the vSwitch trunk port and carries the port group tagged VLANs. 

Any help will be greatly appreciated for creating the basic fw rules to enable basic internet access through the WAN port.



This thread was automatically locked due to age.
Parents
  • Hi and welcome,

    with such a large series of requests, I would suggest you read the knowledge base and start experimenting.

    The basic premise of the UTM is nothing passes unless you provide a rule, so everything is blocked.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for your post. Yes you are right, I am begining to understand that in a FW everything is blocked by default. I have figured that out by playing around with the rules.

    I later realized that it would not be possible to configure multiple VLANs using the VMware port group as a trunk (4095) and be able to do inter-vlan routing without a L3 switch/router device. So I am thinking of adding a virtual router such as vyatta and configure one interface as a trunk port and connect it to Internal UTM interface. But I am not quite sure if that will do the job?

  • Hi,

    the next trick is MASQ/NAT for each interface.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 1st rule was configured by the configuration wizard.

    Added a Masquerading Rule to allow traffice from VLAN 199 to accesss the internet.

    1st rule is created to turn off the FW but this did not work

    2nd rule added LabNet-MGT vlan 199 but this does not seem to work

    I can ping the WAN IP and also my home router gateway from a VM residing on vlan 199 but can't seem to get the traffic to flow through.

  • Hi,

    the masq rules are internal network -> external interface

    Not sure what you mean by turn firewall off, the firewall is off by default. Your first rule will apply and nothing will get to the next rule. You need a rule for each network and an associated masq/NAT RULE.

    Your first rule looks quite dangerous eg anyone anywhere using any protocol can use you firewall as a proxy. UTM rules for outgoing traffic are basically internal network -> any (protocol) -> any network -> allow -> log

     

    IAN

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,

    What I meant by firewall off is - allow all traffic through. I created that rule for testing if the VMs on each of the vlan is able to get out to the internet and or communicate with each other.

    I have done what you suggested. I have a NAT rule as well as FW rule to allow all traffic, but for some strange reason traffic is being blocked. The rules only seem to be working for the internal interface which was created when i installed the UTM.

    I have disabled all the Wizard created FW rules and switched on just one rule.

    Traffic is being blocked - 192.168.199.2 is the VM and 192.168.199.1 is the vlan interface IP (Gateway)

    I changed the priority of the LABNet-MGMT NAT rule

    I can do a tracert to my home router but DNS is being blocked - I confused as to what is blocking traffic from the vlan interface ?

  • Hi,

    looks like your IP range is not in the allowed network for vlan199.

    What does the vlan199 interface show?

     

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian, the addressing for the vlan 199 interface is as below:

    Update:

    I had to add LabNet-MGT network to the DNS Allowed Networks and that did the trick!

    Now that I have figured out how to control access to the internet for each of the subnets.

    I now need learn the basics of how to configure the inter-vlan FW and network traffics rules.

  • I did some testing, I disabled all NAT and FW rulles and to my surprise once the vlan is added to Global allowed network for DNS, I was able to get out to the internet from the VM without needing any FW rules.

    Not sure what is going on?

  • Quick guess..... probably because you have the web proxy enabled?

  • You will understand Louis' comment when you read #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob!

    I read through the Rulz's rules and found it quite informative but I found it somewhat too advanced for my understanding but I have printed it out and will go through it.

    For the time being I decided to park the virtual UTM configuration for my lab use and tried to use PFSense which I found lots of blogs and tips which enabled me to configure it for the lab simulations I needed to do. But, as soon as I am done, I want to start getting the UTM to work because without a doubt it is far more easier to create the FW rules.

    Cheers - Mike

Reply
  • Thanks Bob!

    I read through the Rulz's rules and found it quite informative but I found it somewhat too advanced for my understanding but I have printed it out and will go through it.

    For the time being I decided to park the virtual UTM configuration for my lab use and tried to use PFSense which I found lots of blogs and tips which enabled me to configure it for the lab simulations I needed to do. But, as soon as I am done, I want to start getting the UTM to work because without a doubt it is far more easier to create the FW rules.

    Cheers - Mike

Children
No Data