This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring VLANs without inter vlan routing on a UTM 9 in production


I have a Sophos UTM version 9 (9.707-5), which is setup as a firewall and a VPN server for remote access.

On Interfaces & Routing > Interfaces, I have two ethernet interfaces, one "External (WAN)", and one "Internal".

Everything has been working great, but now I need to implement VLANs. For that, I've purchased a Mikrotik CRS-326 switch, on which I have configured the required VLANs.

The current network should now become VLAN 1 and the new VLANS will be VLAN 201, 203 and 204. And all the VLANs have to be isolated from each other (no inter VLAN routing), only being able to access the Internet.

Now, I want to connect the trunk port on our switch to our UTM, but I'm not sure what is the best way to configure things on the UTM side, maintaining the VPN and the remote access. According to my research, I have to create each VLAN on Interfaces and Routing > Interfaces and choose the type Ethernet VLAN.

I'm having some questions, that I hope the community is able to help me answer:

- Is there anything I have to setup, to prevent the VLANs from communicating with each other (having only internet access, without inter-vlan communication)?

- Do I have to change the interface type of the current 'Internal' interface from Ethernet to Ethernet VLAN and configure it as VLAN 1? If so, I would have to change all the firewall rules I have from/to 'Internal (Network)' to 'Internal VLAN 1', right? We want these rules to only apply to VLAN 1 and have users being able to vpn only into VLAN 1.

- The other VLANs users should only be able to access the internet from inside their respective VLAN. Is that configuration automatic, or would I need a firewall rule like Internal VLAN201 --> Internet?

Since this setup is being used in production, I would like to have a better understanding of what I need to do, prior to start messing with it. Even though I will clone this setup, for testing purposes Relaxed

Thank you in advance for all the help your able to provide!

Best regards

This thread was automatically locked due to age.
  • Yes, Marco, VPN in to WebAdmin.

    On the 'Advanced' tab, select 'FTP',  'IRC (with DCC)',  'PPTP' and 'Enable TCP window scaling'.

    Yes, firewall rules.  Disable 'Allow ICMP through gateway' and 'Gateway forwards pings'.

    Only enable 'Default GW' for WAN connections.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA