Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 925 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 19.5 (virtual appliance) VLAN Problem

DS7109

Hi, I'm trying to get my Guest WiFi VLAN working on SFOS.  This was previously working fine with UTM9 but since moving to SFOS has stopped working!

Running the SFOS virtual appliance in ESXi v8, configured as follows;

vSwitch0 contains port groups for the data LAN (VM Network), Guest VLAN (VLAN33) and the Management Network.  This is bound to physical NIC vmnic0 which is physically connected to switch port 1.  The port group 'VM Network' is presented in SFOS as PortA and assigned the LAN zone.  The 'VLAN33' port group is presented in SFOS as PortD and the SFOS VLAN is attached to that as PortD.33.  The WiFi AP is physically connected to switch port 23, and the Guest LAN is configured on the WiFi controller with VLAN ID 33.  Physical switch ports 1 and 23 are untagged on the default VLAN1. Port 1 is tagged for VLAN33 and port 23 is untagged for VLAN33.  Port 1 is set to Trunk, port 23 is set to General (Dell parlance for allowing multiple VLANs on a port)

I've configured a DHCP server on PortD.33 but cannot get a response from it.  I have already set "system dhcp static-entry-scope global" in case there was a conflict with existing mappings.  Runing "tcpdump interface PortD.33 'port 67 or 68" shows no traffic hitting the interface.

Screenshots speak a thousand words! Can anyone spot what I'm doing wrong?

vSwitch0:

SFOS Network/Interface:

Physical Switch Default VLAN Membership:

Physical Switch VLAN 33 Membership:

WiFi Controller Config:



This thread was automatically locked due to age.
  • 0

    So essentially i can tell you: If you do not see anything in the packet capture, the mapping somewhere else is not correct. Packet capture is the filter directly on the interface. You will see everything coming in/out. So likely you are doing something else wrong, buti cannot comment on the other objects. 

    Likely the vmware configuration is wrong tho. 

    __________________________________________________________________________________________________________________

  • +1

    So, what's fixed it for me is changing the VLAN on both Port Groups to 4095 and adding a DHCP IP Helper on the switch.  It'll do for now until I figure out why the DHCP server isn't responding without the helper.  

    After changing the VLAN ID in ESX, I could see a constant stream of 'Who has 192.168.33.1' in tcpdump on the firewall PortD.33 but no reply. The IP Helper got it over the line.

  • +1 in reply to DS7109

    Further update in case anyone else has this issue;

    The final working config was as follows:

    ESXi Port Group: VLAN Id 33

    All participating physical ports on switch (incl uplink to ESXi host): Tagged on VLAN 33

    IP Helper, and 'IP Subnet bound to VLAN' removed from switch config,

    SFOS: Removed VLAN from PortD and applied 192.168.33.1 to the root port and mapped the DHCP server to this port. (essentially, deleted PortD.33 making SFOS unaware it was on a VLAN)

Unfiltered HTML