Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 10985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help with handling VLANS and DHCP across multiple interfaces

Kevin Laux

I have a server running UTM in Hyper V with 3 Interfaces.

Interface 1: Goes to a modem for internet connection

Interface 2: Goes to a Cisco Meraki 220 switch

Interface 3: Virtual switch for other virtual machines running on the server

I split the subnets between interface 2 and interface 3 making the physical switch 192.168.1.X and Interface 3 the Virtual switch 192.168.2.X. Using Sophos to handle DHCP on each interface.

 

I now have a Server on the Physical Network (Int 2) that I want to get a DHCP address from Virtual Network (Int 3).

 

I want to have two subnets one for personal devices 192.168.1.x and one for a homelab 192.168.2.x. I think the proper way to do this is by setting up two VLANs: VLAN 10 (192.168.1.x) and VLAN 20 (192.168.2.x). I believe I can assign ports on the meraki switch  and route them in the sophos to do this.

 

I tried to set the port on the Meraki switch to an access port tagged VLAN 20, and set up a VLAN Interface on the Sophos Router to route the traffic to the virtual network. Although I still cant get it to see the 192.168.2.X DHCP server.

 

I think what I want to do is assign IPs based on VLAN tag not interface. It shouldn't matter if a device is on the virtual switch or the physical. I can tag the port with a VLAN and Sophos will then assign the correct IP from the subnet for that VLAN.

 



This thread was automatically locked due to age.
Parents
  • 0

    Hey Kevin

     

    I'm having trouble understanding your scenario. Walk me though it so I can try to help you.

     

    Are you running Sophos UTM as a VM on this Hyper-V host? If so, A take it that:

    Interface 1 is a virtual switch bound to a physical interface connected to your ISP modem. Let's call it virtual switch 1.

    Interface 2 is a virtual switch bound to a physical interface connected to your Meraki switch. Let's call it virtual switch 2.

    Interface 3: is this a virtual switch bound to a physical interface or is this an internal virtual switch? Let's call it virtual switch 3.

     

    Assuming your Sophos UTM is a VM on this host, I take it you have three interfaces on it:

    WAN, which is bound to virtual switch 1

    LAN 1, which is bound to virtual switch 2 with an IP on subnet 192.168.1.0/24. 

    LAN 2, which is bound to virtual switch 3 with an IP on subnet 192.168.2.0/24. 

     

    Is this right so far?

     

    Regards,

    Giovani

  • 0 in reply to giomoda

    Yes this is all correct.

     

    Interface 3 is an internal virtual switch. It currently handles traffic from all of the VMs on the Hyper-V host.

  • 0 in reply to Kevin Laux

    OK, so this will never work. A internal virtual switch will never communicate with anything outside the hypervisor. My suggestion is:

    - Bind your VMs to virtual switch 2 and tag it with VLAN 20, as the example below. The VLAN on the screenshot is different, but the concept is the same:

    - Change the switch port on which interface 2 is connected to mode trunk, which would allow tagged and untagged traffic through, and allow tagged VLAN 20 traffic though this port.

    - Change the switch port on which the other physical server is connected to untagged VLAN 20.

    You don't need to tag the VLANs inside the VMs, as you are doing it on the hypervisor, so keep your UTM interface for LAN 192.168.2.0/24 as a default, non VLAN, interface.

     

    That way your default VLAN would handle 192.168.1.0/24 and tagged VLAN 20 would handle 192.168.2.0/24. For any new devices you wish to add to your LAB subnet you just set it to use VLAN 20, either by tagging the VLAN on Hyper-V interface for virtual devices or on the switch port for physical devices.

    Regards,

    Giovani

Reply
  • 0 in reply to Kevin Laux

    OK, so this will never work. A internal virtual switch will never communicate with anything outside the hypervisor. My suggestion is:

    - Bind your VMs to virtual switch 2 and tag it with VLAN 20, as the example below. The VLAN on the screenshot is different, but the concept is the same:

    - Change the switch port on which interface 2 is connected to mode trunk, which would allow tagged and untagged traffic through, and allow tagged VLAN 20 traffic though this port.

    - Change the switch port on which the other physical server is connected to untagged VLAN 20.

    You don't need to tag the VLANs inside the VMs, as you are doing it on the hypervisor, so keep your UTM interface for LAN 192.168.2.0/24 as a default, non VLAN, interface.

     

    That way your default VLAN would handle 192.168.1.0/24 and tagged VLAN 20 would handle 192.168.2.0/24. For any new devices you wish to add to your LAB subnet you just set it to use VLAN 20, either by tagging the VLAN on Hyper-V interface for virtual devices or on the switch port for physical devices.

    Regards,

    Giovani

Children
  • 0 in reply to giomoda

    since interface 3 on sophos is connected to the internal virtual switch I am able to route traffic to the 192.168.2.0/24 network. I currently have a policy that allows all traffic between the two interfaces and it is working.

     

    Are you saying that there is no way to route a VLAN from the physical to the internal interface?

    How does what you are suggesting affect bandwidth? my internal switch is 10G wouldn't binding to the 1G interface limit me to 1Gbps?

    Would vm to vm traffic go across the interface and back instead of just staying inside the hyper-V host and never hitting a physical interface?

     

    I attached some screenshots not sure if they help clarify anything.

     

    Thanks for your help so far.

     

  • +1 in reply to Kevin Laux

    For what I understand what you are trying to achieve is have your virtual and physical servers on the same network. That's layer 2 and can only be achieved with all servers connecting to the same switch. As you already noticed, you can have your physical server on another network and be able to reach your virtual servers by routing the communication through UTM. But that puts extra burden on your UTM as it would have to do all the routing between your servers. Also, you cannot have DHCP packets traversing a router, so DHCP is a no-no under this scenario. Even if you were able to get DHCP working it would be useless for what you are trying to achieve, as the 192.168.2.0/24 is a isolated subnet since you are using an internal switch. AFAIK, the only way to achieve what you are asking is putting your server on the same VLAN through a physical interface, as I suggested.

    To answer your questions:

    "How does what you are suggesting affect bandwidth? my internal switch is 10G wouldn't binding to the 1G interface limit me to 1Gbps?"

    No, the virtual interface should still report and use the full speed of the virtual switch. No traffic should leave the virtual switch for communications between VMs. 

    "Would vm to vm traffic go across the interface and back instead of just staying inside the hyper-V host and never hitting a physical interface?"

    No traffic should leave the virtual switch for communications between VMs. 

    Regards,

    Giovani

  • 0 in reply to giomoda

    Thanks for the explanation. This helps a lot. I will try out what you suggested and see how it works.

  • 0 in reply to giomoda

    I am trying to make this work and not sure if I know what you mean here: "so keep your UTM interface for LAN 192.168.2.0/24 as a default, non VLAN, interface."

     

    Wouldn't I need to create a vlan interface so that i can have dhcp assign IP addresses in the 192.168.2.0/24 range to machines in VLAN 20?

    Also what would I need to do to route traffic between the two VLANs? I have routes set up and a firewall rule in place, but I can't RDP from 192.168.1.0/24 to 192.168.2.0/24.

     

    Thanks for the help.

     

  • 0 in reply to Kevin Laux

    "Wouldn't I need to create a vlan interface so that i can have dhcp assign IP addresses in the 192.168.2.0/24 range to machines in VLAN 20?"

    Not if you are tagging the VLAN on the virtual network adapter at the hypervisor, as I suggested. When you do that all traffic passing in that virtual interface will be tagged. If you want to tag the VLAN inside the guest, you need to allow VLAN tags to pass though the virtual switch by using Set-VMNetworkAdapterVlan in Powershell. But it only makes sense if you plan on passing more than one VLAN from inside the guest. Here is some interesting reading on the subject.

    "Also what would I need to do to route traffic between the two VLANs?  I have routes set up and a firewall rule in place, but I can't RDP from 192.168.1.0/24 to 192.168.2.0/24."

    It changes nothing. You previously said that you had a policy allowing both subnets to communicate and it was working. It should still be working, as long as your UTM is able to communicate with your virtual and physical servers in VLAN 20. Check if your physical and virtual servers can reach the UTM first.

    Regards,

    Giovani

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML