This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED15w Connected but no VLAN Traffic

Hi Guys,

I have a Head Office with a SG230, Dell 6248 (Layer 3), and a number of Internal VLANS - all working fine

  • Dell 6248 is the Core Router, vLANs 10, 11, 12, 13, 15 setup with Interfaces (10.0.10.x, 10.0.11.x etc), IP routing etc and all working fine. 10.0.10.x is the network the corporate servers are on. 10.0.x.254 is the vLAN routing interface for each subnet/vlan.
  • SG230 (10.0.10.250) all setup and working fine, email scanning, web protection etc
  • SG230 under Interaces and Routing - Static Routing: all Head office vLans ->Internal Interface, vLAN 50 (Site Office vlan) ->Interface Sitename
  • VOIP Phone System is on vLAN 999 - 192.168.1.x

Just added a new remote office for 4 workers and have setup a RED15W, Ubiquiti EdgeSwitch 24 (Layer 3 and POE - needed POE for Ubiquiti Security Cameras there), and 4 VOIP Phones

  • Internet is via ADLS2 modem, PPPOE and up and running (connection does have a static IP)
  • RED15W has been provisioned as Standard/Unified and an IP of 10.0.50.253 assigned during provisioning (used the Wizard in the SG230)
  • It created a DHCP Scope - and that seems to be assigning IP's to the Machines and Phones at the Remote Site. All PC's and Phones are being assigned 10.0.50.x addresses with Red15w assigned as Gateway/DNS. I can also see active leases in the SG230 - DHCP for those devices.
  • On the local machine I can mostly browse web pages, watch youtube video and see usage on the RED connection on the SG230 dashboard. 

PC's will not see server resources at Head Office (10.0.10.x) nor will VOIP Phones connect to Phone System at Head Office (192.168.1.204), nor can any site workstation PING anything at head office.

So I thought it must be a routing issue andwent ahead and created on the Ubiquite EdgeSwitch - vLAN 50 (Untagged on all PC and Phone Ports and the uplink to Red15w), vLAN 10 (tagged on Red15w port), vLAN 999 (tagged on VOIP Phone Ports and tagged on RED15w port). I also created the vLAN interfaces for routing on the Ubiquiti Switch for each vLAN (10.0.10.252, 10.0.50.252 and 192.168.1.252 respectively)

But still no internal traffic going between the sites.

I'm missing something and not quite sure what it is - any advice or tips to get this site up and running?? I was thinking about putting a small RODC out there as well and sit it on 10.0.50.1 to help with users logging in locally.

Any tips or advice would be GREATLY appreciated!!!

Cheers

David



This thread was automatically locked due to age.
Parents
  • Quick followup:

    From a workstation on-site I can actually ping the Internal Interface of the SG230 at Head Office - but can't get to the Dell Switch on the same subnet.

    So Workstation onsite (10.0.50.22, GW 10.0.50.253) - RED15 (10.0.50.253) - Internal Interface of SG230 at Head Office (10.0.10.250) pings fine

    Workstation onsite (10.0.50.22, GW 10.0.50.253) - RED15 (10.0.50.253) - through tunnel - Dell 6248 VLAN 50 Interface (10.0.50.254, also tried vlan 10 interface of 10.0.10.254) no pings :(

     

    Still looking for hints/tips :)

  • David, I would have to see a diagram to wrap my head around your topology.  Do you need a common VLAN on both sites?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Cheers Bob - give me an hour or so to knock up a quick diagram. Working from home today as I have a couple of flooring guys coming to give me some quotes ;)


  • OK, basic Network Diagram attached - hopefully text is not too small? Let me know

    Essentially all we want to do is:

    4 Win 10 Workstations to connect to Corporate Domain at Head Office, just like the do at Head Office (DC, Exchange, Sharepoint etc all on vLAN10)

    4 VOIP Phones that need to get to and from Phone System Server at 192.168.1.204 (vLAN 999). Tested VOIP handsets on different subnets at Head Office and with the intervlan routing there it works fine

    Because we have a number of vLANs at Head Office to segregate network traffic I thought it was a 'no brainer' just to simply setup a new vLAN (vLAN50) for the new remote site and the RED product literature brags about 'just plug it in and away you go ;)

    I was thinking about putting an RODC at the site (10.0.50.1) and setting it up as a site in AD as well. A number of different users will rotate to the new site so it would allow thm to log onto the PC's onsite locally - but the RODC would need to be able to communicate via the RED Link as well.

    In my pre-Sophos days I was using a Cisco 5510 and crappy Netgear products using IPSEC to do exactly this and it worked well.

    Any tips or hints would be extremely welcome - as its starting to frustrate me ;)

     

    Images from UTM Screens:



    Let me know if you need any more info!


     

Reply
  • OK, basic Network Diagram attached - hopefully text is not too small? Let me know

    Essentially all we want to do is:

    4 Win 10 Workstations to connect to Corporate Domain at Head Office, just like the do at Head Office (DC, Exchange, Sharepoint etc all on vLAN10)

    4 VOIP Phones that need to get to and from Phone System Server at 192.168.1.204 (vLAN 999). Tested VOIP handsets on different subnets at Head Office and with the intervlan routing there it works fine

    Because we have a number of vLANs at Head Office to segregate network traffic I thought it was a 'no brainer' just to simply setup a new vLAN (vLAN50) for the new remote site and the RED product literature brags about 'just plug it in and away you go ;)

    I was thinking about putting an RODC at the site (10.0.50.1) and setting it up as a site in AD as well. A number of different users will rotate to the new site so it would allow thm to log onto the PC's onsite locally - but the RODC would need to be able to communicate via the RED Link as well.

    In my pre-Sophos days I was using a Cisco 5510 and crappy Netgear products using IPSEC to do exactly this and it worked well.

    Any tips or hints would be extremely welcome - as its starting to frustrate me ;)

     

    Images from UTM Screens:



    Let me know if you need any more info!


     

Children
  • Adding some screenshots from the Dell 6248 at Head Office

     

      vLAN 50 setup - setup exactly the same as all the other Internal vLANs for Workstations

     

      vLAN 50 Interface setup

     

       IP Subnet bindings manually setup on switch

     

      vLAN Routing Summary

     

      vLAN Route Table

     

      default route

     

    I am back at Head Office today and forgot to grab screenshots of the vLAN setup on the Ubiquiti EdgeSwitch at the Site. But in essence I have set it up exactly the same in most regards

    Ubiquiti Switch: 10.0.51.1 - Management on vLAN1 (Native)

    Added vLANs 10, 50 and 999


    vLAN interface setup for each new vLAN:


    vLAN 50 - 10.0.50.252

    vLAN 10 - 10.0.10.252

    vLAN 999 - 192.168.1.252

    Routing Tables/Summaries look ok with the relevant vLAN Int as the 'Next Hop' and default route set to: 0.0.0.0 - 10.0.50.253 (Newsite Interface on UTM, which is pingable by all workstations on site)

    Untagged vLAN50 on Ports 1-8 and Port 24 (Uplink to Red15W)

    Tagged vLAN999 Ports 1-4 (VOIP Phones) and Port 24

    Tagged vLAN10 on Port 24

  • That's a lot to wrap my head around, even with all of the documentation.  I can tell that you're really good with Cisco, TCP/IP & networking, but that this is the first time you've configured using UTM WebAdmin...

    I probably would have configured VLAN Interfaces on the UTM and let it create all of the routing instead of having to create and keep track of static routes.  First, although I haven't tried it, I would bridge reds1 with eth0 and then define all of the VLANs on br0 - that might get the VLAN tags through the RED tunnel.

    Sorry I can't be of more help, David, but this would be at least a half-day consulting gig.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bugger! Cheers Bob was hoping a glaringly obvious misconfigured route was the problem :(

    I've opened up a Support Case and pointed them to this thread - hopefully we can work out the issue ASAP ;)

  • Actually - hold the phone!

    On a hunch I setup 3 new Interfaces on Eth5 as Ethernet VLANs (vlan50, 999, 10) each with their own IPs (10.0.x.251 - where X is vLAN number).

    I then Bridged the RED NewSite Interface with Eth5

    On my Dell Layer 3 switch I configured Port 46 as a General Port and UNTAGGED vLAN50 and TAGGED vLANs 999 and 10 and patched it to Eth5 on the UTM

    Deleted and recreated Firewall rule on UTM to:

    Source: Interface NewSite - Service: Any - Destination: Interface Internal

    Source: Interface Internal - Service: Any - Destination: Interface NewSite

     

    Now I can:


    Ping from the Head Office side of the network to not only the Ubiquiti Switch's vLAN Interfaces at the Site Office but also Ping the VOIP Phones and PC's directly as well

    Ping from Site Workstation to the Dell Layer 3 Switch at Head Office

    Site Workstations appear to connect to web via the RED - then UTM. Tracerts show 10.0.50.253 as the hop before the ISP, this is the RED Interface on the UTM.

    No one is currently at the site, I am about to drive over, but I can now dial the VOIP deskphones, before it was straight to Message bank - now they appear to be ringing from this end (Will confirm).

    What I still cant do:

    Connect to any internal domain resources at Head Office

    Cannot connect to desktop of Site PC's via RDP

    My ScreenConnect app on each Desktop is not connecting back to our ScreenConnect Server, luckily I dropped TeamViewer on one of the Workstations on site last Thursday. This is connecting and giving me access remotely to the site.

    Log onto Workstations as any other users - no access to Logon servers

    I've run up an RODC here at the office, set it up as 10.0.50.1 and will take it out onsite with me.

    Will advise outcome - but if anyone can let me know about the spoofed packets I am seeing it would be appreciated.

    I think I am now 3/4's of the way there ;)

    Cheers

    David