Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 21760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple VLANs behind RED10/15 including GUEST-network

IngoPohlschneider

Hello
for branch offices we are using accesspoints that do local switching for each SSID to a separate VLAN.
Branches have a L3 switch installed that routes the local VLANs via the RED-interface of the HQ-UTM

HQ UTM has a static route pointing the remote VLANs via the L3 switch.
L3 switch does DHCP relay to HQ-DHCP servers (and for that requires an IP address in each VLAN)

So far so good :)


Trouble now is that we now need to deploy a GUEST-SSID in the remote offices with the following requirements:

  • no local routing between corporate and GUEST-VLANs
  • DHCP for GUEST-VLAN done by HQ-UTM

Problem is: L3 switch requires IP for DHCP relay but afaik automatically routes between its local networks once an IP is assigned to a VLAN therefore requirement one is broken


Any ideas how to solve this issue?

This affects multiple remote GUEST-SSIDs

Thanks for advice



This thread was automatically locked due to age.
  • 0

    Hi, Ingo, and welcome to the UTM Community!

    You should get your reseller and Sophos involved as I don't see a way to do this without a RED 50 instead of a RED 10/15.  That's the only way to wire a VLAN directly into a RED and make firewall rules between the VLANs.  If they demonstrate that it can work, please share the details here.

    However, an SG 105 with a six-year (2 x 3 years) Network Protection subscription is less expensive than a RED 50, so I think that would be a better solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Balfson,

    did not go the Support-Way and decided to do a little experimenting with a RED10 I had in my office:


    Here is a working example config:

    UTM

    Interface type Ethernet - Hardware RED10 - IP 10.x.0.1/24

    Interface type Ethernet VLAN - Hardware RED10 - IP 192.168.x.1/24

    Static route: 10.x.0.0/16 via 10.x.0.2 (L3 Switch in branch)

    DHCP-range for Guest-VLAN interface of RED

    RED has WAN connected and LAN1 to Switch port 1/1

    Switch

    Port 1/1 is member of VLAN 1 and GUEST-VLAN. PVID is 1. Port is set to untag PVID and tag GUEST-VLAN

    Port 1/x has AP connected. Is member of all SSID VLANs (tagged) + untagged AP-Management-VLAN

    Switch routes between all SSID VLANs, AP-Management-VLAN and VLAN1. Does not route GUEST-VLAN
    DHCP relay for routed VLANs to HQ DHCP server

    This configuration works with the RED10 just fine. Also tested for network separation et cetera. Looks good to me. I also attached a schematic

    Maybe the only benefit of the RED50 is that VLANs can be directly assigned to the LAN-NICs of the RED? (not sure never used a RED50 yet. Always either RED10 or small UTM)

    Best greets

  • 0 in reply to IngoPohlschneider

    Thanks, Ingo, for sharing your results with us!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML