This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring VLANs without inter vlan routing on a UTM 9 in production

Hello!

I have a Sophos UTM version 9 (9.707-5), which is setup as a firewall and a VPN server for remote access.

On Interfaces & Routing > Interfaces, I have two ethernet interfaces, one "External (WAN)", and one "Internal".

Everything has been working great, but now I need to implement VLANs. For that, I've purchased a Mikrotik CRS-326 switch, on which I have configured the required VLANs.

The current network should now become VLAN 1 and the new VLANS will be VLAN 201, 203 and 204. And all the VLANs have to be isolated from each other (no inter VLAN routing), only being able to access the Internet.

Now, I want to connect the trunk port on our switch to our UTM, but I'm not sure what is the best way to configure things on the UTM side, maintaining the VPN and the remote access. According to my research, I have to create each VLAN on Interfaces and Routing > Interfaces and choose the type Ethernet VLAN.

I'm having some questions, that I hope the community is able to help me answer:

- Is there anything I have to setup, to prevent the VLANs from communicating with each other (having only internet access, without inter-vlan communication)?

- Do I have to change the interface type of the current 'Internal' interface from Ethernet to Ethernet VLAN and configure it as VLAN 1? If so, I would have to change all the firewall rules I have from/to 'Internal (Network)' to 'Internal VLAN 1', right? We want these rules to only apply to VLAN 1 and have users being able to vpn only into VLAN 1.

- The other VLANs users should only be able to access the internet from inside their respective VLAN. Is that configuration automatic, or would I need a firewall rule like Internal VLAN201 --> Internet?

Since this setup is being used in production, I would like to have a better understanding of what I need to do, prior to start messing with it. Even though I will clone this setup, for testing purposes Relaxed

Thank you in advance for all the help your able to provide!

Best regards



This thread was automatically locked due to age.
Parents
  • Olá Marco and welcome to the UTM Community!

    In UTM, the configuration daemon automatically builds routes between all subnets defined on interfaces in WebAdmin.  To allow inter-VLAN traffic, you would need one or more firewall rules.

    Changing the Interface definition from "Ethernet" to "Ethernet VLAN" doesn't change the name of the Interface, so "Internal (Network)" will still work everywhere it's used.

    Yes you probably will need new firewall rules for any new Interface definitions.  Don't forget about masquerading, Web Filtering, etc.

    Cheers - Bob
    PS You should be able to delete the other thread that looks to be a duplicate of this one.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, Bob!

    Thank you for your reply!

    BAlfson said:
    In UTM, the configuration daemon automatically builds routes between all subnets defined on interfaces in WebAdmin.  To allow inter-VLAN traffic, you would need one or more firewall rules.

    Does the configuration daemon also automatically builds routes between the subnets and the Internet?

    And it doesn’t allow inter-VLAN routing (which I don’t want) unless I setup the appropriate firewall rules, right?

    Are the firewall rules for Internet access from that subnet set up automatically, or do I have to set them up manually?

    BAlfson said:
    Changing the Interface definition from "Ethernet" to "Ethernet VLAN" doesn't change the name of the Interface, so "Internal (Network)" will still work everywhere it's used.

    This is great!

    BAlfson said:
    Yes you probably will need new firewall rules for any new Interface definitions.  Don't forget about masquerading, Web Filtering, etc.

    When you create a new ‘Ethernet VLAN’ interface, does the configuration daemon build the necessary routes from that interface to the Internet? And does it also automatically sets up the necessary firewall rules for that or do I have to create them manually?

    BAlfson said:
    PS You should be able to delete the other thread that looks to be a duplicate of this one.

    I was unsure of what was the best place to post this question, so I also posted the other thread. I’m unable to find out how to delete that thread. Maybe I don’t have the necessary permissions to do that? Or I’m not seeing that option…

    Thank you for all your help!

    Best regards

  • Olá Marco,

         "Does the configuration daemon also automatically builds routes between the subnets and the Internet?"

    Yes, but you must make a masquerading rule

         "And it doesn’t allow inter-VLAN routing (which I don’t want) unless I setup the appropriate firewall rules, right?"

    Correct.

         "Are the firewall rules for Internet access from that subnet set up automatically, or do I have to set them up manually?"

    You must make them.  Note that adding the new VLAN "(Network)" objects to 'Allowed Networks' in Web Filtering causes the config daemon to create Web Browsing rules automatically.

    If you want to use Web Filtering for the new VLANs, you will be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, send me your email address via private message here.

         "When you create a new ‘Ethernet VLAN’ interface, does the configuration daemon build the necessary routes from that interface to the Internet?"

    Yes

         "And does it also automatically sets up the necessary firewall rules for that or do I have to create them manually?"

    In addition to Web Filtering, automatic firewall rules can be selected when making NAT rules and VPNs.  Other than those, you must create firewall rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, Bob!

    Thank you for your help, once again Relaxed

    I have just another question:

    I'm able to setup DNS and DHCP servers on the UTM, for the VLANs that will be used only for Internet access, right? Do they generate too much overhead on the UTM (these VLANs will be used for internet access, videoconferencing and access to remote systems on the Internet)? For VLAN1, we have a Windows Server DHCP and DNS servers, that we intend to keep on using.

    If you want to use Web Filtering for the new VLANs, you will be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, send me your email address via private message here.

    That's great! Would you please send me a copy? I will send you my email address via private message, so you're able to email it to me.

    Thank you for all your help and time, once again.

    Best regards

  • In UTM, Marco, VLAN1 is reserved for Wireless Protection.

    You might also be interested in DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • Hello, Bob!

    Thank you for all your help. And for the document on HTTP Proxy you sent me by email!

    Since I'm not using wireless protection, is it possible to use VLAN1 as my main vlan? Or is this not a good ideia?

    Is it better to simply use VLAN2 as my main VLAN and only allow access to Webadmin from this VLAN?

    I would put the Windows Server's DHCP and DNS servers on this VLAN. For the guest VLANs, I would setup DHCP and DNS servers on the UTM. This is possible, right?

    The other VLANs (guest) won't have access to the UTM Webadmin, unless I create some firewall rules for that, right?

    Thank you for all your help!

    Best regards

  • Some other best practices:

    • WebAdmin access should be limited to a few, specific IPs, not an entire subnet.  I also include my public IPs from offices including home.  For times when I need to access from elsewhere, I include "BAlfson (User Network)" in 'Allowed Networks' for WebAdmin and Shell Access so that I can VPN in.
    • If more than one person has administrator rights, then the "admin" account should be used as an emergency account with the password known only to one person.  All WebAdmin accesses should be done using the individual's username.

    UTM doesn't allow for multiple DNS servers, but you can follow the DNS Practices:

         {VLAN2 devices} -> {Internal DNS server} -> UTM -> {External name server(s)}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey, Bob!

    Thank you for your reply!

    WebAdmin access should be limited to a few, specific IPs, not an entire subnet.  I also include my public IPs from offices including home.  For times when I need to access from elsewhere, I include "BAlfson (User Network)" in 'Allowed Networks' for WebAdmin and Shell Access so that I can VPN in.

    Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?

    If more than one person has administrator rights, then the "admin" account should be used as an emergency account with the password known only to one person.  All WebAdmin accesses should be done using the individual's username.

    Great ideia! I will implement this.

    UTM doesn't allow for multiple DNS servers, but you can follow the DNS Practices:

         {VLAN2 devices} -> {Internal DNS server} -> UTM -> {External name server(s)}

    This seems to be the perfect solution for the main VLAN (vlan2). For the guest VLANs, could I use an external DNS server, like Quad Nine or Cloudflare, with something like this?

    {VLAN201 devices} -> {External name server(s)}

    Another question: we have a Windows Server providing DHCP for what will become VLAN2, our main VLAN. Am I able to setup DHCP servers on the UTM, for each of the guest VLANs?

    By the way, are you aware of any good best practices guide on how to setup VLANs on the UTM, so I'm able to better plan ahead?

    Thank you for all your help.

    Best regards

  • "Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?"  - Do you have remote users that should be playing around in WebAdmin?  Do you mean private or public IPs?

    Yes, you can do DHCP for VLANs with the UTM.  Best practice for VLANs? - Just keep things as simple as possible.

    Good luck, Marco - seems like you're learning quickly!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, Bob!

    Thank you for your reply!

    "Do you have any tips on how securely implement this access limitation, when some of the IP's on the remote locations are dynamic?"  - Do you have remote users that should be playing around in WebAdmin?  Do you mean private or public IPs?

    Not really...It would be just for me, to access from the outside, should the need arise. The problem is, in some remote locations, the IP's are dynamic. Maybe, since I don't have fixed IP's, it would be safer to VPN into the LAN and then access WebAdmin, right?

    Best practice for VLANs? - Just keep things as simple as possible.

    Great tip. I was going to ask you if I should mess around with the settings on Network Protection > Firewall > Advanced, but maybe it's better to leave them alone Smile

    I have another two questions:

    • if I enable ICMP on Network Protection > Firewall > ICMP, will it be possible to generate ICMP traffic to/from any VLAN? If so, users on the guest VLANs would be able to ping assets on the main network, right? Since I don't want this, I should leave this setting off and create firewall rules for the ICMP traffic I want to allow, right?

    • When creating a new Ethernet VLAN interface, there is an optional field to set an IPv4/IPv6 default Gateway. This interface will be the gateway of the VLAN. Should I fill this field in? Or should I leave it blank and just set this up on the DHCP server (to send it to the clients)?

    Good luck, Marco - seems like you're learning quickly!

    Thanks! I'm trying. For now, I'm reading what I can find to better understand everything and then I'll do some hands-on testing. And your help has been very important!

    Thank you for your time!

    Best regards

  • Yes, Marco, VPN in to WebAdmin.

    On the 'Advanced' tab, select 'FTP',  'IRC (with DCC)',  'PPTP' and 'Enable TCP window scaling'.

    Yes, firewall rules.  Disable 'Allow ICMP through gateway' and 'Gateway forwards pings'.

    Only enable 'Default GW' for WAN connections.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA