Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 5817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with ESXI and Sophos

M Okasha

hello every one 

iam trying to install the UTM on ESXI 6 but i faced some problem which i need help with 

first of all, i have 

One Dedicated server with ONE lan card

one Cisco swith SF200 - Managed switch 

3 ISP Connection 

what i want to achieve..

create LoadBalance on the ISP connections using the firewall 

apply speed limit on one of the vlans - Hospital users

apply another speed limit on another vlan - Guest Users

so ..

i created three vlans on cisco swith 

vlan 10 - for the wan links

vlan 20 - for hospital users 

vlan 30 - for the guests 

and this is my configuration on the ESXI host

i created three switches on the ESXI with vlan tag for each one

and created 4 interfaces for sophos

one on untagged switch for managing

one on vlan 10 switch for the wan links

one on vlan 20 switch for hospital users - with network 10.10.10.0/24

one on vlan 30 switch for guests users - with network 10.10.50.0/24

i could access the web interface via manage interface with no problem 

now i want to add the vlan on the sophos so i i can apply rules on each vlan 

i tried to add the interface directly as "Ethernet"and gave it IP

and i could ping on it succefully via the domain which i assigned it on the same vlan 10 switch

but when i deleted the interface and assigned it as "Ethernet Vlan" i couldnt ping on it 

so 

any ideas about how to configure it probably

thanks in advanced 



This thread was automatically locked due to age.
Parents
  • 0

    Hello, the interface from vm-switch to the vm is untagged, so you don't have to set VLAN on the UTM-VM.

    In the UTM you should have four interfaces. Each for one VLAN. Look at "interface&routing" - interfaces - hardware.

     

    If you want the guest os to do the VLAN tagging, you must use VLAN ID 4095 on the vswitch portgroup. (but I think it's not recommend) see http://www.yellow-bricks.com/2010/06/10/vlan-id-4095/ 

  • 0 in reply to UThomas

    thank you sir for replying

    iam sorry iam trying to catch up with you

    what i understood  is that i dont have to create the Vlans on the UTM

    is it correct?

    and if it correct should i identify the interfaces for the vlans as "Ethernet" not "Ethernet Vlan"?

    i mean i have now

    eth1, eth2, eth3

    each one of them i assigned it on tagged vswitch in ESXI to act as default gateway for the vlan

    should i identify them as "Ethernet" from sophos web interface

     

  • 0 in reply to M.Hegazy

    You are correct. "Ethernet" is correct because the vswitch is doing the VLAN tagging.

    Assign the ip addresse for each interface in the UTM.

  • 0 in reply to UThomas

    thank you sir

    you just saved my day

    i will test it tomorrow and give you feedback

     

  • 0 in reply to UThomas

    back again with feedback :)

    i have tried ti assign the interface as "Ethernet" just like you said

    and i could successfully ping the interface from the domain (both of them are in the same vlan)

    then i tried to plug in a PC in one of the Vlan 20 ports on Cisco switch

    and it was suppose to get ip via dhcp server from the DC (DC si acting as DHCP server too)

    but unfortunately it couldn't obtain an IP 

    any suggestion for this issue

    p.s: the dhcp server on the DC is configured correctly i have tried it before with another firewall and i could obtain IP add 

  • 0 in reply to M.Hegazy

    Unknown said:

    then i tried to plug in a PC in one of the Vlan 20 ports on Cisco Switch

    i assume that your vlan 20 port for the computer is an access port for vlan 20?

    and your port for the esx is a trunk port?

    Perhaps you can post your cisco switch config.

Reply
  • 0 in reply to M.Hegazy

    Unknown said:

    then i tried to plug in a PC in one of the Vlan 20 ports on Cisco Switch

    i assume that your vlan 20 port for the computer is an access port for vlan 20?

    and your port for the esx is a trunk port?

    Perhaps you can post your cisco switch config.

Children
  • 0 in reply to UThomas

    yes it access ports for vlan 20 and using trunk port for the ESXI

    and this is my cisco switch configuration

    iam using ports range fe1-3 for WAN vlan

    ports range fe4-25 for Hospital users - 10.10.10.0 /24

    and ports range fe26-30 for guests users - 10.10.50.0 /24

    port Ge2 is a trunk port for ESXI host

    and port 47 is a trunk port to manage ESXI and cisco switch

    and this is a snapshot of my domain to verify that i can ping the firewall interface

     

    i also tried to built WIN7-vm for testing and assigned the lan interface to the hospital switch (vlan 20) which have the domain controller 

    and the dhcp worked fine and i could obtain IP automatically