I'm having a problem getting this to work, and could use some assistance. I'm pretty technical, and can figure most things out, but seem to be missing something.
I have a Home UTM 9 install on a Zotac. I'm trying to create a DMZ for my VoIP Obi202 ATA, and have most computers behind an inline Asus router as my NAS is served off it.
Network Connections:
eth0 is WAN to cable modem and eth1 is LAN to a Netgear 5 port GS105E (mgd switch)
on the switch, UTM is connected to port 1, port 2 is to the WAN on an Asus router that servers wifi and a USB NAS, port 5 is connected to my VoIP ATA
Switch Configuration:
Port based VLAN Advanced Enabled, VLAN 1 includes all 5 ports, and VLAN 5 includes port 1 and port 5
In Sophos I have the following configured:
Interfaces:
WAN on eth0
Internal on eth1 [10.10.52.100/24]
DMZ-VoIp on eth1 [192.168.1.1/24]
Type: Ethernet VLAN
VLAN Tag 5
Network Services:
DNS: Internal and DMZ-VoIP included
DHCP: Internal and DMZ-VoIP included
Network Protection:
Rules: DMZ-VoIP (Network) --> Internet IPv4, Service = VoIP Protocols Any
Internet IPv4 --> DMZ-VoIP (Network), Service = VoIP Protocols Any
The VoIP ATA has an external IP of 10.10.52.200, so not sure what I'm missing. I've connected a computer to that port as well, and it doesn't get place in the VLAN, just the default LAN.
Everything else seems to be working correctly as far as I can tell. I've not done many other configurations on the UTM from a default setup, beside a few changes to the Intrusion Protection Patterns and Web Filters.
Appreciate any suggestions.
UPDATE: I have added a Masquerade and Static Routing rules which I read is required.
Masquerade: DMZ-VoIP (Network) --> WAN
Static Route: Gateway Route
Network = Internal Address (UTM Gtw address)
Gateway=VLAN Switch (10.10.52.200)
Still no traffic displaying on the DMZ-VoIP VLAN, nor am getting an IP in the VLAN.
UPDATE: OK, I have figured it out and have it working now.
Changes I've made:
Netgear Switch: Disabled port based VLAN and enabled 802.Q Advanced
VLAN Configuration:
VLAN ID 1, Port Members 1,2,3,4
VLAN ID 5, Port Members 1,5
VLAN Membership:
VLAN 1: Ports 1-4: all U
VLAN 5: Port 1=T, Port 5=U
Port PVID:
Ports 1-4, PVID=1
Port 5, PVID=5
UTM
I didn't make too many changes to what I have listed above. The trunking is what I figured must have been it, and that seemed to do it.
I did however have to change the the allowed service from only VoIP Protocols to Any.
I also put a rule into to block any traffic from the DMZ to Internal Network: DMZ-VoIP (Network) --> Internal (Network), Service=Any, Action=Reject
Last addition I did was turn on Intrusion Protection for the DMZ-VoIP (Network) in Network Protection.
Traffic is now showing in the Dashboard for the DMZ-VoIP VLAN, devices hooked to Port 5 on the switch are now getting the correct VLAN IP, and calls are working as normal. I wish I didn't have to allow the Any service to the VoIP ATA to get it working, but with the other rules I'm thinking it should be pretty segmented from the Internal network.
Any suggestions or comments appreciated.
This thread was automatically locked due to age.
