This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED50 - VLAN and DHCP not working

I have an internal client vlan (VLAN12) that I need to pass to a remote office.  I purchased a RED50 because the literature says, it can handle vlan’s.  Only, I’ve tried every which way that is suggested by the Sophos Community and I cannot get it to work.

 

VLAN12 works fine internally, but when I try to pass it over the RED50, I get nothing.  Hopefully, someone out there will be willing and able to give me a hand with this.

 

My current setup is as follows:

 

  • Windows Server 2012 R2 DHCP server (10.0.0.12) on a management vlan (VLAN1)
    • Client DHCP scope setup:
      • Address pool 10.0.12.1 – 10.0.12.200
      • Router 10.0.12.254
      • DNS server 10.0.0.12

 

  • Sophos SG310, UTM 9.409-9 (10.0.0.253)
    • Eth0 = Internal LAN (10.0.0.253)
    • Static route (gateway) - Internal interface and Client network to core switch
    • Firewall rule - Internal interface and Client network to Internal interface and Client network for Any service
    • Firewall rules - Internal interface and Client network to Anywhere for DNS, HTTP, HTTPS, etc
    • Multipath rule - Internal interface and Client network to Anywhere for Any service on the WAN interface

 

  • HP 3800 core switch (10.0.0.254), setup with:
    • Default gateway (10.0.0.253)
    • VLAN1 (10.0.0.254)
    • VLAN12 (10.0.12.254)
    • IP route for 0.0.0.0/0 with the gateway IP 10.0.0.253
    • VLAN12 has an IP helper address of 10.0.0.12

 

Port 1 on the core switch is untagged in VLAN1 and connects the DHCP server

Port 10 on the core switch is untagged in VLAN12 and connects a client PC to the network

Port 38 on the core switch is untagged in VLAN1 and connects to eth0 on the Sophos UTM

 

When I connect a PC to port 10 on the core switch, it gets an IP address from the Client scope on the DHCP server.  The PC can also connect to all other devices on both VLAN1 and VLAN12, as well as the internet.

 

Without me going into to detail, I have tried setting up the RED50 in almost every conceivable manner, and none of the setups provide a connection back to the DHCP server.



This thread was automatically locked due to age.
Parents
  • Hi, and welcome to the UTM Community!

    VLAN 1 is reserved in the UTM for Wireless Security.  Please change that to some other tag and let us know if your RED problem persists.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

     

    Thanks for the warm welcome.

     

    I'm in touch with Sophos Senior Technical Team regarding the issue now.  Sophos support have confirmed the VLAN12 tag is getting to my RED50, but it not being handled/passed through my UTM.

     

    I had read online about the VLAN1 Wireless reservation, but as I'm not tagging VLAN1, it shouldn't be an issue.  Should it?

    Also, it might be an idea for Sophos to make the Wireless VLAN ID changable, as almost all switches have VLAN1 as the default VLAN.  And it's my guess that all but the most experienced network managers/engineers, will just use the default, even though best practice is not to.  Unfortunately for me, I was unaware of this "best practice" and the network engineer that set our VLAN's up, never mentioned anything at the time.  If I HAVE to change it, I will, but it's a lot of downtime to schedule in, so I'd like to avoid it, if at all possible.

     

    All my servers and switches are untagged in VLAN1 and the UTM provides internet access, etc. without any problems.

     

    If and when I get a resolution to the issue, I will post it here for others reference.

     

    Thanks, Dan

  • Looking forward to hearing the resolution, Dan - TIA.

    Your description of VLAN 1 makes me think that you mean an untagged VLAN, not one that's tagged with "1."  In any case, as long as no VLAN tagged "1" is visible to the UTM, there should be no problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Looking forward to hearing the resolution, Dan - TIA.

    Your description of VLAN 1 makes me think that you mean an untagged VLAN, not one that's tagged with "1."  In any case, as long as no VLAN tagged "1" is visible to the UTM, there should be no problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children