Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 6910 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple WAN on Multiple VLAN

MohdZeeshan

Hi,

I'm trying to configure Sophos SG 210 UTM with 2 ISPs for differen VLANs which are defined at a Cisco L3 Catalyst 3650 Switch.

I have connected the E5 of UTM to a Trunk port on Switch and allowed all the VLANs on it.

I created all the VLAN Interfaces on E5 in UTM

I created Firewall rules for every VLAN to allow each VLAN to use "Any" Service from "Any" Network

I created Masquerading rules for each VLAN to use the Uplink Interface (auto active - failover which gets created by uplink balancing)

I connected the default internal network (E0) to the VLAN2 (which I'd like to consider as Management Network)

I have a DHCP Server running on VLAN99 which is working perfectly fine (for IP assignments in each VLAN, the default gateway is the IP of that VLAN on switch)

Lets say VLAN99 is only for DHCP and it is not involved anywhere else.

All the VLANs would be able to connect to the Internet ONLY If I create a route on the switch "ip route 0.0.0.0 0.0.0.0 10.0.2.2" (there is no other route on the switch)

Situation 1:

I tried to create this route just so VLAN2  can reach the internet "ip route 10.0.2.0 255.255.254.0 10.0.2.2" and if only this route existed on the switch then the internet wont work on VLAN2 

Similarly If I created route to send/recieve the internet traffic from/to their respective VLAN IP on UTM, the internet wont work on that VLAN, it only works when I send all the traffic to any one of the IP of VLAN or a physical internal interface on UTM (such as 10.0.2.2.or 10.0.4.2 or 10.0.6.2 or any internal interface which is UP).

Why is that ? Why cant I send the traffic of different VLAN to the internet through the IP that belongs that VLAN on UTM ?

Situation 2:

Since I have to use one of the virtual / physical interface to route all the data from switch, lets say this route "ip route 0.0.0.0 0.0.0.0 10.0.2.2" sends all the data to 10.0.2.2 port on UTM when trying to go to the internet. 

When I try to create a masquerading rule in which I want VLAN4 to connect to ISP 2 specifically then VLAN4 doesn't get any internet, because remember it has to go through 10.0.2.2 which is already connected to ISP 1.

The attached image would give an idea of my network.

What am I missing here ?

Please help.



This thread was automatically locked due to age.
  • 0

    Hi, Mohd, and welcome to the UTM Community!

    I'm afraid I don't understand what you're trying to accomplish, nor where 10.0.2.2 is. Maybe a specific example would help us understand what you think should be obvious to us.

    Are you asking a question about what routes you should configure in the Catalyst?  Have you tried Multipath rules that bind specific traffic to an interface?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for the reply, sorry if I am not clear, I am new to networking stuff and I may not be knowing lot of things.

    For your questions,

    1) 10.0.2.2 is a physical interface defined on E0 of UTM, also belongs to VLAN2 (10.0.2.0).

    2) Are you asking a question about what routes you should configure in the Catalyst? - Yes.

    3) Have you tried Multipath rules that bind specific traffic to an interface? - No, I have created masquerading rules.

    So what I'm trying to accomplish is that some of my VLANs route to internet via WAN - active / failover (where they can auto switch from a high priority WAN 1 to low priority WAN 2) in case WAN 1 goes down and since WAN 2 will be left unused for most of the time, I want to put a particular VLAN to reach internet via WAN2.

    I don't know if I should create any route on switch but what I have observed is this, unless I create a route on the switch (like 0/0 10.0.2.2 or 0/0 10.0.4.2 or so) I do not get any internet on any VLAN.

    So I created a route 0/0 10.0.2.2 on the switch.

    Now I go to masquerading rule where VLAN4 was getting internet from the  Uplink Interfaces (the active / failover one) and I change to get it to WAN2, the internet stops working on VLAN4

    I may have done this routing completely wrong. The firewall and masquerading rules are right in place.

    I believe my first problem is how the switch should be connected with the UTM so all the VLANs can pass through from switch to E5, In my case I have created all the VLAN Virtual Interfaces on E5 and connected it to a trunk port on switch which allows all VLANs on it.

    And the second problem is how to get Active / Failover WAN on few VLANs and a specific WAN on a particular VLAN.

    Also, currently the clients on every VLAN gets the default gateway of that VLAN (which is defined on the L3 switch) I want the inter-vlan traffic to be handled at the Switch itself.

    Please let me know what is the correct configuration on the switch so I can easily switch the ISPs on any VLAN or put them in Active / Failover WAN thing at any time in future.

    Hope that makes it clear.

    Thanks.

  • 0 in reply to MohdZeeshan

    OK, I think I now see what's happening and where you want to go.

    The first thing to understand with the UTM is that it can be "programmed" like a traditional router, but that's not the most elegant/effective way to configure it.  WebAdmin is a GUI that manipulates data bases of objects and settings.  A single change in WebAdmin can cause the configuration daemon to rewrite hundreds of lines of the code that actually performs the functions of the UTM.

    For example, when you add a VLAN interface to the UTM, WebAdmin automatically creates routes between the network on the VLAN and all of the other networks defined on its interfaces.  If you want traffic to pass between the new VLAN and one or more of the other subnets in your LAN, you must make firewall rules to allow that if the traffic passes through the UTM.

    It appears that you have VLAN2 defined on both E0 and E5.  As mentioned in #3.1 in Rulz, this will cause routing conflicts.

    I don't know how you're configuring DHCP and DNS, but DNS best practice might help you.

    I don't understand why you have so many VLANs if you want all of the subnets to be able to communicate with each other.  If I were doing that, I would use a simple switch and configure DHCP to assign IPs with a netmask of 255.255.0.0.  Since you have each subnet on a different virtual Ethernet segment (VLAN), you probably do need some configuration in the Catalyst to allow inter-VLAN traffic, but doing that is not something that I can advise you on.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML