Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 18215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall setup for multiple VLANs and WLANs

Nova13

I am trying to plan out this network before I make the changes to the FW. I have a recycled Supermicro server that I added a 10gb 4 port NIC, giving me a total of 6 ports. I have 3 Sophos Aps, two AP 55s and one AP 15c. I also have 2 ASUS routers that are running DD-WRT, that will be used as APs. I also have a 16 port D-Link managed switch, which I might end up replacing to support all my IP cameras. Or I may get a separate switch, haven't decided yet.

 

I'd like to create multiple VLANs and WLANs to separate traffic. The VLANs are:

VLAN1 - LAN used for networking devices such as APs and switches

VLAN3 - Normal LAN and WLAN traffic, will be used on 2ghz band

VLAN4 - LAN and WLAN for media devices like TVs and Xbox, no Web Filtering, used on 5ghz band

VLAN5 - Security Camera network, need to open port to access NVR remotely

VLAN7 - Guest network WLAN on 2ghz band

 

Below is how I was going to configure the interfaces

Port 1 - IP: 172.16.100.200 | Zone: MANAGE

Port 2 - IP: WAN

Port 3 - IP: 172.16.100.201 | Zone: MANAGE

Port 3.3 - IP: 172.16.130.200 | Zone: LAN | LOCALWiFi bridged to VLAN3 | DHCP: 172.16.130.100 to 172.16.130.150

Port 4 - IP: 172.16.100.202 | Zone: MANAGE

Port 4.4 - IP: 172.16.140.200 | Zone: MEDIA | MEDIAWiFi bridged to VLAN4 | DHCP: 172.16.140.100 to 172.16.140.150

Port 5 - IP: 172.16.100.203 | Zone: MANAGE

Port 5.5 - IP: 172.16.150.200 | Zone: CAM | DHCP: 172.16.150.100 to 172.16.150.120

Port 6 - IP: 172 16.100.204 | Zone: MANAGE

Port 6.7 - IP: 172.16.170.200 | Zone: GUESTWiFi | GUESTWiFi bridged to VLAN7 | DHCP 172.16.170.100 to 172.16.170.150

 

Below are my APs and how I want to configure the WLANs

AP15C_01 - IP: 172.16.100.210 | GUESTWiFi (2ghz)

AP55_01 - IP: 172.16.100.211 | LOCALWiFi (2ghz) MEDIAWiFi (5ghz)

AP55_02 - IP: 172.16.100.212 | LOCALWiFi (2ghz) MEDIAWiFi (5ghz)

RT-AC87U - IP: 172.16.100.215 | WL0:LOCALWiFi (2ghz) WL0.1: GUESTWiFi WL1.0: MEDIAWiFi (5ghz)

RT-AC88U - IP: 172.16.100.216 | | WL0:LOCALWiFi (2ghz) WL0.1: GUESTWiFi WL1.0: MEDIAWiFi (5ghz)

 

Below are Firewall Rules:

MANAGE to WAN , WAN to MANAGE

MANAGE to LAN, LAN to MANAGE

MANAGE to MEDIA, MEDIA to MANAGE

MANAGE to CAM, CAM to MANAGE

MANAGE to GUESTWiFi, GUESTWiFi to MANAGE

 

Ports 1, 3, 4, 5, 6 will go to a L2 managed switch. Below is port config for the switch:

Port 1 - Untagged: 1

Port 2 - Untagged: 1 | Tagged: 3 | VID: 1

Port 3 - Untagged: 1 | Tagged: 4 | VID: 1

Port 4 - Untagged: 1 | Tagged: 5 | VID: 1

Port 5 - Untagged: 1 | Tagged: 7 | VID: 1

Port 6 - (to AP15C_01) | Untagged: 1 | Tagged: 7 | VID: 1

Port 7 - (to AP55_01) | Untagged: 1 | Tagged: 3, 4 | VID: 1

Port 8 - (to AP55_02) | Untagged: 1 | Tagged: 3, 4 | VID: 1

Port 9 (to ASUS RT-AC87U) - Untagged: 1 | Tagged: 3, 4, 7

Port 10 (to ASUS RT-AC88U) - Untagged: 1 | Tagged: 3, 4, 5, 7

 

Sorry for the long read. I think this should give you a good idea of what I want to do. I have to assume that I am missing firewall rules. I didn't go into specifics with those only because this could get long. Any recommendations on what I should do there would be appreciated. I just described the minimum I'll need to get this network working.

As far as those two ASUS routers, I know they will accept the VIDs without issues. I've configured them as APs with VLANs without any issues, other than VLANs 2 and 6 not working. I know VLAN2 is reserved for WAN, but I don't get why VLAN6 doesn't work. The RT-AC88U has 8 ports, so I can use those LAN ports for my cameras.

Any thoughts on whether this is being configured the right way? Or would I have to bridge the physical interfaces, each interface IP set to the new subnet? I definitely want the VLANs to work, as I'm not sure how I could get any clients to connect to the right VLAN unless I give them all static IPs?



This thread was automatically locked due to age.
Parents
  • 0

    UPDATE: I just tried to setup one of the AP55's and it looks like I can only tag 1 VLAN. I guess the Sophos APs don't support multiple VLAN tagging?

  • 0 in reply to Nova13

    Nova13,

    Sophos AP supports up to 8 SSID on the same AP and you can mix them between bridge to AP LAN, VLAN, Separate network. Sophos AP needs VLAN 1 or bridge to AP LAN to get configuration, IP, etc..

    For testing, create 2 wi-fi networks: 1 bridge to ap lan and 1 bridge to AP VLAN.

    Regards

  • 0 in reply to lferrara

    I appreciate your time and want to thank you for the response. I have a few questions, which may better help me understand where the problem is.

    You mentioned that the AP needs VLAN 1 or a bridge to AP LAN. Being that I've put all my LAN interfaces on the same subnet, which is VLAN1, the AP is receiving a VLAN1 IP.

    I created VLAN3 on one of the interfaces, with an IP on a different subnet. I am able to connect to the WLAN, where I receive a VLAN3 IP. So it "appears" to be working.

    However, I can only get VLAN3 to work. VLAN4 will not work, which I'm assuming is because the AP only has the option for 1 VID.

    From what I read on another thread, the LAN interfaces should NOT be on the same subnet because of IP table issues. If this is in fact the case, then my entire configuration is not going to work.

    My LAN1 interface is currently configured to 172.16.100.200, LAN2 is configured to 172.16.100.201, and my VLAN interface is configured on LAN2.3 to 172.16.130.200.

    How am I supposed to configure the LAN interfaces if they cannot be on the same subnet? For the sake of simplicity, let's assume I only have 2 LAN ports and 1 WAN.

    Is LAN2 supposed to be 172.16.130.200? If so, how will I assign the VID that I would normally do through the VLAN interface?

  • 0 in reply to Nova13

    Nova13,

    you cannot have same IP address/subnet on 2 different IP. This is OSI layer 3 and you cannot do this. It is something like, Bob is both in the kitchen and in the bathroom. A person can be in one place a time. Same thing for IP. These are the network basics.

    So for each VLAN, assign a different IP and trunk them on the switch port that will be connected to AP.

    Regards

  • 0 in reply to lferrara

    Luk,

    It seems like maybe there was some sort of miscommunication on my part. I understand the concept of the IPs having to be different, but I wasn't sure how the APs were getting tagged with VLANs if the configuration of the AP only allows for 1 VID.

    So from what my manager was explaining to me, which you had also mentioned in a previous response, was that the AP needed to be on the same VLAN as the XG.

    I understood this, but I didn't know that the VID in the configuration of the AP was for the VLAN that the physical AP would be on. I was under the impression that the VID in the configuration of the AP was the VLANs to be tagged on the AP LAN port.

    So in my case, the VID would remain 1 (or I guess leave it blank for LAN). The VLAN tagging is done when configuring the Wireless network, when I bridge the WLAN to VLAN. By assigning the Wireless networks to the AP, I am essentially tagging those VLANs. 

    So by creating the VLANs on a LAN interface, the VLANs are tagged. Then VLANs are tagged on the switch port that I am connecting to the XG, and then VLANs are tagged on the switch port that is going out to the AP. By connecting to each Wireless network, I should receive different IPs based on the VLANs bridged to each wireless network.

    Figured I would give a thorough explanation in case somebody runs into the same issue.

    Thanks again for your response, and your help!

     

     

Reply
  • 0 in reply to lferrara

    Luk,

    It seems like maybe there was some sort of miscommunication on my part. I understand the concept of the IPs having to be different, but I wasn't sure how the APs were getting tagged with VLANs if the configuration of the AP only allows for 1 VID.

    So from what my manager was explaining to me, which you had also mentioned in a previous response, was that the AP needed to be on the same VLAN as the XG.

    I understood this, but I didn't know that the VID in the configuration of the AP was for the VLAN that the physical AP would be on. I was under the impression that the VID in the configuration of the AP was the VLANs to be tagged on the AP LAN port.

    So in my case, the VID would remain 1 (or I guess leave it blank for LAN). The VLAN tagging is done when configuring the Wireless network, when I bridge the WLAN to VLAN. By assigning the Wireless networks to the AP, I am essentially tagging those VLANs. 

    So by creating the VLANs on a LAN interface, the VLANs are tagged. Then VLANs are tagged on the switch port that I am connecting to the XG, and then VLANs are tagged on the switch port that is going out to the AP. By connecting to each Wireless network, I should receive different IPs based on the VLANs bridged to each wireless network.

    Figured I would give a thorough explanation in case somebody runs into the same issue.

    Thanks again for your response, and your help!

     

     

Children
No Data