Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 1351 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Xg310-bridged ports and vlans- internet access issues

newxguser

Hello everyone...

I've been looking for my problems resolution for more than a week but haven't found similar situation.

I'm a new user of XG 310 with 18.0.4 firmware. I want to replace Mikrotik router which is the main part of the network with the new XG 310. New device should serve as router and firewall.

So, at the moment we have Mikrotik router connected to ISP modem. There are 12 vlans created on the router's main bridge. All vlans are sent from router to two main Mikrotik switches and Ubiquiti switch. There are several access points connected to the last switch. Vlans are passed from main switches to 5 more switches.

I'm trying to get similar or any working configuration in the test environment.  I need two 'trunk' ports to connect main_switch1 , main_switch2 and propagate all created vlans. I created a bridge with IP addresss, added ports 5 and 6 on Sophos, created vlan30 and added them to the bridge. Routing and vlan filtering are enabled on the bridge. Vlan30 is chosen within the filtering option on bridge.

I also created DHCP server for my vlan.  I connected port 5 of xg310 to configured trunk port on DCN S4600.  I made rule : allow traffic from network 10.10.0.0 (vlan30),   to WAN . I also linked NAT MASQ to it.

When I connect my laptop to untagged port of DCN I get IP address ,DNS from Sophos. The issue is: I can always ping WAN devices but when I try to reach websites they are sometimes accessible and sometimes they are not. Log viewer showed me that  traffic from laptop's IP  either goes through bridge.30 interface or port 5. Second case is unwanted and because there's no rule about port 5, traffic is rejected. 

How can I solve this issue?

Is there a better, simpler and/or more effective way of replacing main Mikrotik router with XG firewall in this scenario ?



This thread was automatically locked due to age.
  • 0

    Hi,

    XG only supports l3 Vlans. Next a drawing of what you are trying to achieve will make answering your questions easier.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    Thank you for quick reply. This is a diagram of the network we are talking about:

    Mikrotik Routeros lacks webfiltering, application control , email scanning ,etc.

     That's why I want to replace it with XG 310. As this is a school environment I want to use Sophos features to filter and log traffic, protect the network from the outside, give differret users  access to different content based on source network /vlan. 

  • 0

    Hello Newxguser,

    Thank you for contacting the Sophos Community.

    For this type of POC I would recommend you to reach out to your Sales Engineer or Professional Services so they can assist you with the implementation and configuration for your deployment.

    Regards,

  • 0 in reply to newxguser

    Not sure whether I understand your structure completely.

    You should use a tiered/tiered model and add one distribution switch.

    I'd give the (optional clustered) router an IP in each VLAN.
    Bring all VLANs tagged to the distribution switch and configure the uplinks to all other switches tagged with the required VLANs.
    Besides the switch mangement VLAN all up and downlinks should be configured with tagged VLANs only.
    Only access ports should be untagged.

    Configure firewall rules that reflect the kind of communications you want to allow.

    If you want to use it as a plain router as before put the internal VLANs in zone LAN, the internet connections in zone WAN and allow everything from LAN <-> LAN and define a policy and NAT rule for LAN -> WAN. 

  • 0 in reply to BeEf

    BeEf, thank you for your time used to deal with my case.

    I'm sorry for my English -it's become rusty within years of not using it to comunicate. I have difficulties to explain what I mean beacause of that.

    Whiile searching for solutions on this forum I've  found a post with similar problem: https://community.sophos.com/xg-firewall/f/discussions/126065/bridged-vlan-support-question---xg-v18.Configuration is similar but nothing is said about vlans-to-WAN connections I had problems with.

    I just want to get similar setting: 

    1. XG310 as the main and only router on this network with DHCP servers for vlans

    2. XG310 bridge with three trunk ports  and vlans   --> main_switch1

                                                                                      -->main_switch2

                                                                                        --> unifi switch

    3. Some vlans have to be passed to all three switches -thats why I suppose I must use a bridge with physical ports and vlans.

    4. Some ports are untagged on main_switch1 and main_switch2 becasue certain lan sockets are connected to them directly.

    5. My goal is to manage the whole network via management vlan using vpn tunnel from outside. Additionaly I would leave configuration of port 1 on Sophos in case I would have to connect to it on site.

    6. I would like to prevent traffic between vlans for security reasons.

    Today I tried a different approach. I removed the bridge on XG310 and created two vlans attached to one single port just for testing. I made  firewall rules for network-to -WAN traffic. I connected this port to trunk in my DCN. When I was switching  on DCN between untagged ports (two vlans) with my laptop the traffic was working perfectly without any issues. If I decided to choose this approach in my production network I would have have to pass all the vlans through one trunk port  from XG310 , divide them on main_switch1 and pass some vlans to main_switch2 ,etc. Maybe I'm wrong but such solution sounds like a bootle neck for me.  Additionally it means reorganising my network. That's why I will give the first option (bridged trunks with vlans) a second try. It's possible I misconfigured something - I'm a new guy to XG.

  • 0 in reply to newxguser

    For me it looks like you are trying some kind of mixed layer 2 and layer 3 approach.  That would be difficult to handle and could be very error prone. The Sophos XG is more like a router than a layer 3 switch.


    Uplink Between XG:
    - and Main_Switch_01:
    30,16,17,60,11,14,15 (tagged)
    - and Main_Switch_02:
    12,13,17 (tagged)
    and Unify_Switch
    - 11,12,15,17,20 (tagged)

    My last proposal was to use another distribution switch:
    Uplink Between XG
    and distribution Switch:
    30,16,17,60,11,14,15,12,13,17,17,20 (tagged)
    and then connect the subordinate switches below that.

    Using layer 3 and defining on the firewall which intra vlan traffic is allowed looks for me as a much clearer approach.

    The link https://community.sophos.com/xg-firewall/f/discussions/126065/bridged-vlan-support-question---xg-v18 is not comparable what you want to do in my opion because only 2 VLANs involved.

    It is also not clear to me how more than 1 untagged vlan can be used in case of uplinks. And in case of unifiy APs.Tunneling ?

    Regarding you picture it would be better to draw the vlans on the uplink (lines) rather than mixing access ports and uplinks on the switches (rectangles) i.e. it should be clear whats configured on the access ports and whats configured on the uplinks.

    I think noting we can solve here because it is too complicated and needs testing.

  • 0 in reply to BeEf
    BeEf said:
    Regarding you picture it would be better to draw the vlans on the uplink (lines) rather than mixing access ports and uplinks on the switches (rectangles) i.e. it should be clear whats configured on the access ports and whats configured on the uplinks.

    Here you go:

    diagram-v2

    BeEf said:
    It is also not clear to me how more than 1 untagged vlan can be used in case of uplinks. And in case of unifiy APs.Tunneling ?

    Simply , switches have trunk ports and access ports which are used according to the needs. As far as Unifi controller and  AP's are concerned, they work in the same network as the bridge of the main router. It's odd to me- other switches and the main router are accessed by management vlan. Maybe it's Unifi limitation.

    BeEf said:
    For me it looks like you are trying some kind of mixed layer 2 and layer 3 approach.  That would be difficult to handle and could be very error prone. The Sophos XG is more like a router than a layer 3 switch.

    Well, when you create vlan on Xg either connected to physical port or to a bridge, you are giving it a network address. It seems we are dealing with L3 traffic. On the other hand, when the traffic goes 'down' through trunks it looks like we have a L2 traffic which gets to another switches and is untagged where necesary. Putting another switch between XG310 and three main switches wouldn't change anything.

    BeEf said:
    I think noting we can solve here because it is too complicated and needs testing.

    Agree with you for 100%. The point is: I can't test such a complex setting in my 'lab'. Testing in a production environment could expose my 'client' for unwanted system failure.

    Anyways, thanks for your help

  • 0 in reply to rfcat_vk

    Hi,

    rfcat_vk said:
    XG only supports l3 Vlans.

    What do you mean?

  • 0 in reply to Jaroslav Faldik

    Most switches are L2 VLAN devices and can work without the physicalinsterface being configured where as the XG requires there physical interface to have a basic configuration and works at the L3 of the stack.

    Ian

  • 0 in reply to rfcat_vk

    Thank you for the explanation.