Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 5 subscribers
  • Views 7024 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating a server (v)lan

Bram Clamer

Hello,

For educational purposes I have installed Sophos UTM Home. For my job I don't have to really do things with networking stuff, so I already apologize in advance for if I ask some stupid questions ;) My questions might even go a bit beyond the main topic of this forum. I would really appreciate some help though. 

At this point I don't have any servers that really do anything and I have no data at all. I now have the following:

Physical:

Desktop 'server'/hypervisor running Server 2016 with Hyper-V. This physical server has 2 NIC's.

Virtual:

1. Firewall (Sophos UTM), with 2 virtual nic's (eth0 & eth1). 

2. Windows based server

3. Hyper-V switch connected to physical NIC1 (connected to internet)

4. Hyper-V switch connected to physical NIC2 (connected to the local network only)

I have no hardware switch that has VLAN-support. I do have a wireless access point that has VLAN-support, but I prefer not using VLAN's on that if I don't have to.

To be honest I have spent several days now to create a network for my servers. I need to be able to connect my clients to the servers. My client computers (windows 7 / mac / etc) need to have internet access.

Should I add a third ethernet adapter to my firewall (that is only for connection to the virtual servers), or should I solve this with VLAN's? Or do I need extra hardware (physical switch)?

I would really appreciate some help.



This thread was automatically locked due to age.
Parents
  • +1

    If you only have 2 physical NIC's where one is connected to the internet and the other to a non-vlan switch then using VLAN's outside the virtual environment would not be possible, so it will also not be possible to use VLAN on you Access point since it connects to a switch that doesn't support VLAN's.

    You could have your servers, access point and clients all in the same subnet (by simply not using any VLAN's) which should work. Therefore you need to connect the virutal servers to the Hyper-V switch connected to physical NIC2, connect your real switch to this NIC and connect your clients also to that switch.

    You could set up a third Hyper-V switch (Internal) where you can connect your virtual server and of course also a third virtual NIC connected to this switch in your UTM. You have then "physically" segragated your server from your clients and still wouldn't need VLAN's.

    I'm not sure if this answers your question, so if not then let us know.

  • 0 in reply to apijnappels

    Thanks so much (bedankt)! I have chosen for your last suggestion, the extra switch+NIC.

     

    (Ik kon er even niet met mijn hoofd bij wat betreft VLAN's, maar nu kan ik volgens mij verder met mijn eigenlijke doel)

  • 0 in reply to Bram Clamer

    Okay, just set that up like suggested and this really helps but it results in an other problem. I have 3 networks now:

    1. eth0 = internal

    2. eth1 = WAN

    3. eth2 = server_lan

    I created 2 DHCP pools. 1 is assigned to the internal network (eth0) and the other is on the server_lan network (eth2).

    eth0-DHCP = 192.168.0.20 - 192.168.0.254

    eth2-DHCP = 192.168.2.20 - 192.168.0.254

    For some reason, when I switch virtually between networks (external hyper-v switch versus the internal hyper-v switch), I still get an IP address from the eth2 DHCP pool. For some reason it does not use both DHCP-pools.

    Does anybody see what I don't see?

  • 0 in reply to Bram Clamer

    Are you sure that you made the third virtual switch an internal switch (in Hyper-v).

  • 0 in reply to apijnappels

    Just to be sure I checked again, but yes, the third virtual hyper-v switch is indeed an "internal" switch.

     

    To give complete information I should say that earlier today I first made a checkpoint. Then, in a moment of desperation, I did a powershell-command for trunking eth0 and setting it to vlan30 by default. But I reverted back to the checkpoint, so I am assuming (dangerously in IT, I know.. ;) ), that reverting also undoes the trunking.

    Edit: Just to be sure, I just re-created the firewall virtual machine (using the existing virtual disk), the problem remains

  • 0 in reply to Bram Clamer

    You have in the firewall VM also 3 different NIC's, every NIC connected to a different virtual Hyper-V switch (1 for WAN, 1 for Internal, 1 for Servers)?

  • 0 in reply to apijnappels

    Thank you for your response.

    Yes I have. I have also just plugged out all the other devices on the network, to make sure I did not cross-link 2 networks.

  • +1 in reply to Bram Clamer

    I think you need to delve in deeper in that case.

    Try to disconnect one of the LAN interfaces (leave WAN connected) and see whether your client connected to that same network gets the right IP-address. Also check in interfaces whether the interface you have disconnected is also the one shown as not connected.

    Then disconnect the other LAN interface and check again. See if in both cases the client gets the expected IP-address.

    If it doesn't, then try to ping other devices in the subnet you got your IP-address from to see if there really is a connection.

  • 0 in reply to apijnappels

    Thank you so much for your help.

    I finally got it working. I had both the NIC's in the same subnet. Once I changed one of them the problem was solved. Though I still don't understand why it doesn't work on the same subnet. After all, it are 2 different NIC's.

  • 0 in reply to Bram Clamer

    This wasn't the solution, the problem is still there.

    After I realized this I have deleted the Sophos UTM virtual machine and started all over. Just to make sure I didn't have a rule configured that I forgot. It doesn't help though.

     

    Now I wonder if it would be easier to buy a switch that has supports the configuration of VLAN. If it would make things easier, I would buy a switch tomorrow. But I would want to be able to still use a physical network to connect to my servers as well. (I am thinking of buying a Synology NAS DS916+, which must be accessible by all computers in the network, my girlfriend as well. But this is a totally different chapter, not for now.)

     

    Update:

    I found out that I do not need to use the switch that is between the hypervisor-NIC and the wireless access point. I'm guessing that perhaps I can use VLAN's after all because I could perhaps do all of this through the wireless access point(?).

    First i'm going to spend my time with some family, i've been busy with this for more than 12 hours now. 

  • +1 in reply to Bram Clamer

    Think of the UTM as a router that routes traffic from one subnet to the other by means of different interfaces. If you do have two interfaces on the same subnet, you need to either bridge those interfaces or make a LAG.

    If you bridge two interfaces of the same type (both ethernet), you are basically creating sort of a switch. When you create a LAG you connect one (logical) device to the UTM using two network cables. This both increases total bandwidth of the connection and makes the connection redundant.

  • +1 in reply to Bram Clamer

    Is there a special reason that you want your server(s) in a different subnet as your clients and your about to purchase NAS?

    If not, then why not do it like this:

    1 physical NIC connected to the Internet connection. Make a Hyper-V virtual switch connected to this and also connect 1 UTM NIC to it (the WAN port). The other physical NIC connected to your switch (doesn't need VLAN) and also connect this NIC to a second Hyper-V virtual switch. You can then also connect your virtual servers and a second NIC in the UTM to this virtual switch to just connect all of those devices to the same physical subnet. You can then attach additional physical devices to the real switch to also connect those.

    Create something like the attached drawing

Reply
  • +1 in reply to Bram Clamer

    Is there a special reason that you want your server(s) in a different subnet as your clients and your about to purchase NAS?

    If not, then why not do it like this:

    1 physical NIC connected to the Internet connection. Make a Hyper-V virtual switch connected to this and also connect 1 UTM NIC to it (the WAN port). The other physical NIC connected to your switch (doesn't need VLAN) and also connect this NIC to a second Hyper-V virtual switch. You can then also connect your virtual servers and a second NIC in the UTM to this virtual switch to just connect all of those devices to the same physical subnet. You can then attach additional physical devices to the real switch to also connect those.

    Create something like the attached drawing

Children
  • +1 in reply to apijnappels

    If you do want to separate your (virtual) servers from your physical clients then make it as the following drawing:

    Be sure though to have all three subnets (LAN, WAN, Servers) in different IP-subnets, like 172.16.10.0/24, 172.16.20.0/24 and whatever your ISP hands out as your WAN subnet. Of course you could also create other subnets as long as they are not overlapping and use RFC1918 addresses (private internet).

  • 0 in reply to apijnappels

    I'm a little careful saying this, but I think I've got it working now. Thank you, especially for the pictures, that was a great help!