This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up 2nd LAN interface with DHCP

Hello,

 

I have been asked to create a 2nd LAN for a customer. They have recently bought a new business and it has a SG230 UTM device (on the front panel it states UTM 9.311) protecting the site.

Currently the existing LAN interface is connected to a couple of unmanaged 24 port 10/100 switches, DHCP is provided by a Windows 2008R2 server.

The 2nd LAN interface is for a, for want of a better word, factory controller (they are an engineering company) and the maintainer of this controller needs 24/7 access remotely via a high speed internet connection - they have a 100mb leased line providing internet access. As part of the contract the maintainer stipulates that the "main controller" and all its sensors must be on their own physically separate LAN (they have allowed a shared firewall and internet connection).

Therefore I am looking for guidance or reference to the relevant how-to guides on setting up a spare interface to provide a connection to the internet and to provide (to the controller and it's numerous IP sensors) IP address allocation.

 

Many Thanks in advance.

 

Gavin



This thread was automatically locked due to age.
Parents
  • Hi, Gavin, and welcome to the UTM Community!

    I'm confused that your question is posted in the "UTM Manager" forum as that is the tool used to configure and manage many UTMs at once.  I'll move this thread to the General Discussion forum.

    1. Preparation:
      1. You will need the IP address(es) which the company uses as well as the ports they will need opened - in both directions for each.
      2. Tell the company what IP they should assign to their Controller or get a confirmation that the Controller will use DHCP.
      3. Get a separate public IP from your customer that you can assign as an Additional Address on their External interface.
    2. Add the public IP as an Additional Address to the External Interface.  Give it a meaningful name, I'll use "Controller" for this prescription.
    3. Configure an Interface with no default gateway for the NIC in 'Interfaces & Routing >> Interfaces'.  Let's also name this "Controller" although having the same name is not required.
    4. Configure a firewall rule similar to 'Controller (Network) -> {ports the company needs open outbound} -> {IPs at which the company wants to receive messages initiated by the Controller} : Allow'.
    5. In 'Network Services >> DHCP', create a DHCP Server for "Controller (Network)" with a range of 50-to-249.
      1. If the Controller doesn't have a fixed IP and uses DHCP, have the company force it to ask for an IP.  On the 'IPv4 Leases' tab, statically assign it an IP in the 2-to-49 range and have the company force their device to ask for an IP again.  If it does have a fixed IP, create a Host object with that IP.  In both cases, give the Host object a meaningful name like "Controller."
    6. Make a Masquerading rule 'Controller (Network) -> External [Controller]'.
    7. Make a NAT rule like 'DNAT : {IPs from which the company will access the Controller} -> External [Controller] (Address) : to {Controller's IP in "Controller (Network)}'.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you very much for your assistance.

     

    Apologies for posting in the wrong area I'm completely new to the Sophos UTM product, my experience thus far has been with Checkpoint, Mikrotik & Draytek.

    Looks pretty straightforward.

     

    Kind Regards

     

    Gavin

Reply Children
No Data