Hello!
I have a Sophos UTM version 9 (9.707-5), which is setup as a firewall and a VPN server for remote access.
On Interfaces & Routing > Interfaces, I have two ethernet interfaces, one "External (WAN)", and one "Internal".
Everything has been working great, but now I need to implement VLANs. For that, I've purchased a Mikrotik CRS-326 switch, on which I have configured the required VLANs.
The current network should now become VLAN 1 and the new VLANS will be VLAN 201, 203 and 204. And all the VLANs have to be isolated from each other (no inter VLAN routing), only being able to access the Internet.
Now, I want to connect the trunk port on our switch to our UTM, but I'm not sure what is the best way to configure things on the UTM side, maintaining the VPN and the remote access. According to my research, I have to create each VLAN on Interfaces and Routing > Interfaces and choose the type Ethernet VLAN.
I'm having some questions, that I hope the community is able to help me answer:
- Is there anything I have to setup, to prevent the VLANs from communicating with each other (having only internet access, without inter-vlan communication)?
- Do I have to change the interface type of the current 'Internal' interface from Ethernet to Ethernet VLAN and configure it as VLAN 1? If so, I would have to change all the firewall rules I have from/to 'Internal (Network)' to 'Internal VLAN 1', right? We want these rules to only apply to VLAN 1 and have users being able to vpn only into VLAN 1.
- The other VLANs users should only be able to access the internet from inside their respective VLAN. Is that configuration automatic, or would I need a firewall rule like Internal VLAN201 --> Internet?
Since this setup is being used in production, I would like to have a better understanding of what I need to do, prior to start messing with it. Even though I will clone this setup, for testing purposes
Thank you in advance for all the help your able to provide!
Best regards
Olá Marco and welcome to the UTM Community!
In UTM, the configuration daemon automatically builds routes between all subnets defined on interfaces in WebAdmin. To allow inter-VLAN traffic, you would need one or more firewall rules.
Changing the Interface definition from "Ethernet" to "Ethernet VLAN" doesn't change the name of the Interface, so "Internal (Network)" will still work everywhere it's used.
Yes you probably will need new firewall rules for any new Interface definitions. Don't forget about masquerading, Web Filtering, etc.
Cheers - BobPS You should be able to delete the other thread that looks to be a duplicate of this one.
Hello, Bob!
Thank you for your reply!
BAlfson said:In UTM, the configuration daemon automatically builds routes between all subnets defined on interfaces in WebAdmin. To allow inter-VLAN traffic, you would need one or more firewall rules.
Does the configuration daemon also automatically builds routes between the subnets and the Internet?
And it doesn’t allow inter-VLAN routing (which I don’t want) unless I setup the appropriate firewall rules, right?
Are the firewall rules for Internet access from that subnet set up automatically, or do I have to set them up manually?
BAlfson said:Changing the Interface definition from "Ethernet" to "Ethernet VLAN" doesn't change the name of the Interface, so "Internal (Network)" will still work everywhere it's used.
This is great!
BAlfson said:Yes you probably will need new firewall rules for any new Interface definitions. Don't forget about masquerading, Web Filtering, etc.
When you create a new ‘Ethernet VLAN’ interface, does the configuration daemon build the necessary routes from that interface to the Internet? And does it also automatically sets up the necessary firewall rules for that or do I have to create them manually?
BAlfson said:PS You should be able to delete the other thread that looks to be a duplicate of this one.
I was unsure of what was the best place to post this question, so I also posted the other thread. I’m unable to find out how to delete that thread. Maybe I don’t have the necessary permissions to do that? Or I’m not seeing that option…
Thank you for all your help!
Olá Marco,
"Does the configuration daemon also automatically builds routes between the subnets and the Internet?"
Yes, but you must make a masquerading rule
"And it doesn’t allow inter-VLAN routing (which I don’t want) unless I setup the appropriate firewall rules, right?"
Correct.
"Are the firewall rules for Internet access from that subnet set up automatically, or do I have to set them up manually?"
You must make them. Note that adding the new VLAN "(Network)" objects to 'Allowed Networks' in Web Filtering causes the config daemon to create Web Browsing rules automatically.
If you want to use Web Filtering for the new VLANs, you will be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, send me your email address via private message here.
"When you create a new ‘Ethernet VLAN’ interface, does the configuration daemon build the necessary routes from that interface to the Internet?"
Yes
"And does it also automatically sets up the necessary firewall rules for that or do I have to create them manually?"
In addition to Web Filtering, automatic firewall rules can be selected when making NAT rules and VPNs. Other than those, you must create firewall rules.
Cheers - Bob
Thank you for your help, once again
I have just another question:
I'm able to setup DNS and DHCP servers on the UTM, for the VLANs that will be used only for Internet access, right? Do they generate too much overhead on the UTM (these VLANs will be used for internet access, videoconferencing and access to remote systems on the Internet)? For VLAN1, we have a Windows Server DHCP and DNS servers, that we intend to keep on using.
BAlfson said:If you want to use Web Filtering for the new VLANs, you will be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, send me your email address via private message here.
That's great! Would you please send me a copy? I will send you my email address via private message, so you're able to email it to me.
Thank you for all your help and time, once again.
In UTM, Marco, VLAN1 is reserved for Wireless Protection.
You might also be interested in DNS best practice.
Thank you for all your help. And for the document on HTTP Proxy you sent me by email!
Since I'm not using wireless protection, is it possible to use VLAN1 as my main vlan? Or is this not a good ideia?
Is it better to simply use VLAN2 as my main VLAN and only allow access to Webadmin from this VLAN?
I would put the Windows Server's DHCP and DNS servers on this VLAN. For the guest VLANs, I would setup DHCP and DNS servers on the UTM. This is possible, right?
The other VLANs (guest) won't have access to the UTM Webadmin, unless I create some firewall rules for that, right?
Some other best practices:
UTM doesn't allow for multiple DNS servers, but you can follow the DNS Practices:
{VLAN2 devices} -> {Internal DNS server} -> UTM -> {External name server(s)}
Hey, Bob!
BAlfson said:WebAdmin access should be limited to a few, specific IPs, not an entire subnet. I also include my public IPs from offices including home. For times when I need to access from elsewhere, I include "BAlfson (User Network)" in 'Allowed Networks' for WebAdmin and Shell Access so that I can VPN in.
Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?
BAlfson said:If more than one person has administrator rights, then the "admin" account should be used as an emergency account with the password known only to one person. All WebAdmin accesses should be done using the individual's username.
Great ideia! I will implement this.
BAlfson said:UTM doesn't allow for multiple DNS servers, but you can follow the DNS Practices: {VLAN2 devices} -> {Internal DNS server} -> UTM -> {External name server(s)}
This seems to be the perfect solution for the main VLAN (vlan2). For the guest VLANs, could I use an external DNS server, like Quad Nine or Cloudflare, with something like this?
{VLAN201 devices} -> {External name server(s)}
Another question: we have a Windows Server providing DHCP for what will become VLAN2, our main VLAN. Am I able to setup DHCP servers on the UTM, for each of the guest VLANs?
By the way, are you aware of any good best practices guide on how to setup VLANs on the UTM, so I'm able to better plan ahead?
Thank you for all your help.
"Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?" - Do you have remote users that should be playing around in WebAdmin? Do you mean private or public IPs?
Yes, you can do DHCP for VLANs with the UTM. Best practice for VLANs? - Just keep things as simple as possible.
Good luck, Marco - seems like you're learning quickly!
BAlfson said:"Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?" - Do you have remote users that should be playing around in WebAdmin? Do you mean private or public IPs?
Not really...It would be just for me, to access from the outside, should the need arise. The problem is, in some remote locations, the IP's are dynamic. Maybe, since I don't have fixed IP's, it would be safer to VPN into the LAN and then access WebAdmin, right?
BAlfson said:Best practice for VLANs? - Just keep things as simple as possible.
Great tip. I was going to ask you if I should mess around with the settings on Network Protection > Firewall > Advanced, but maybe it's better to leave them alone
I have another two questions:
BAlfson said:Good luck, Marco - seems like you're learning quickly!
Thanks! I'm trying. For now, I'm reading what I can find to better understand everything and then I'll do some hands-on testing. And your help has been very important!
Thank you for your time!
Yes, Marco, VPN in to WebAdmin.
On the 'Advanced' tab, select 'FTP', 'IRC (with DCC)', 'PPTP' and 'Enable TCP window scaling'.
Yes, firewall rules. Disable 'Allow ICMP through gateway' and 'Gateway forwards pings'.
Only enable 'Default GW' for WAN connections.