Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 7 subscribers
  • Views 18596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 and layer 3 switch, what's the best way of doing it

Andrea Peccerillo

Hi everyone, i've been using Sophos UTM 9 and my L3 switch (dlink dgs 1510)  that i only bought for connecting my workstation to my nas via 10Gbit SFP+.  Everything is working fine as my setup is very straight forward:

Sophos acts as a gateway, handles the dhcp of the network and gives the network internet access via the ISP modem

The Dlink switch didn't do any of what a L2 or L3 switches are made for as it was only used as a switch connecting all the devices of my network.

As I'm about to move in to a new house and as i wil be impementing a new server, video surveillance and ip phones to the network I decided to dig deeper and did some research.

 

Here is what I think my new setup will be like_

VLAN 1 Freenas, Workstations, Home wifi and so on

VLAN 10 Guest WIFI

VLAN 20 Video surveillance

VLAN 99 MGT

VLAN 150 ip phone

 

Sophos ---> Gateway and Firewall of the networ-->ISP modem-->Internet

Dlink switch ---> L3 Switch will handle VLANS  and the routing in case i wanted some vlans to communicate with each other

 

Now is this a good way of doing things?

Do I have to setup a trunk between the router and the switch?

Does the sophos have to be the gateway or it can just be a firewall and provide me VPN etc?

 

Thanks a lot for helping figureing it out



This thread was automatically locked due to age.
Parents
  • 0

    Hey Andrea.

    Stick with Louis suggestion and keep things simple. Sophos UTM in front of every VLAN with a VLAN interface and subnet to each network. UTM will create the routes between VLANs automatically as long as you have an interface on each VLAN, but will block all traffic by default. That way you can control what will be accessible between VLANs using firewall rules to explicitly allow ports/services/protocols between networks or specific IPs. 

    Bear in mind that the speed of the communication between VLANs would depend on your UTM routing capacity, though. If you need some super fast communication (like that 10Gb NAS you mentioned) between VLANs, then using your switch's L3 capabilities might be a better idea.

    Regards,

    Giovani

  • 0 in reply to giomoda

    giomoda said:

    Hey Andrea.

    Stick with Louis suggestion and keep things simple. Sophos UTM in front of every VLAN with a VLAN interface and subnet to each network. UTM will create the routes between VLANs automatically as long as you have an interface on each VLAN, but will block all traffic by default. That way you can control what will be accessible between VLANs using firewall rules to explicitly allow ports/services/protocols between networks or specific IPs. 

    Bear in mind that the speed of the communication between VLANs would depend on your UTM routing capacity, though. If you need some super fast communication (like that 10Gb NAS you mentioned) between VLANs, then using your switch's L3 capabilities might be a better idea.

    Regards,

    Giovani

     

    Hi, will this actually affect transfer speed? I mean if both the nas and the workstation are connected to the switch via 10gbit but the Sophos which is doing the routing is connected to the switch via 1gbit ethernet will that create a 1gbit bottleneck on the bandwith between ports or is it just something you don't really notice on everyday use?

    Thank you very much

  • 0 in reply to Andrea Peccerillo

    If the workstation and NAS are on the same VLAN, UTM will not touch this, as this would be a layer 2 communication and would never traverse UTM. But if a device from another VLAN accesses your NAS, then the speed will be the routing speed from the UTM which would be, in the best case scenario, the speed from the UTM's network interface. It's just a heads up in case you are thinking of accessing your NAS from a device on another VLAN.

    As for your previous question:

    "Then how can i make the sophos only accessible from the 192.168.99.1 ip address and not from all the vlans?"

    Do you mean management? If so, you can achieve that by limiting webadmin management at Management > Webadmin Settings > Gerenal >Allowed Networks. Create a network object with type host and IP 192.168.99.1 there and remove "Any". Just be careful to not lock yourself out by making sure you are already accessing UTM through the management VLAN and IP. =)

    In case you enabled shell access, do the same at Management > System settings > Shell access > Allowed Networks


    "Also, could i make 1 or 2 Ip addresses access all the vlans without having the VLANS communicating? If so how routing? firewall? "

    As long as you have an UTM interface on each VLAN, UTM will automatically create routing between VLANs, but will allow nothing unless your create a firewall rules allowing traffic. So, for example, under Network Protection > Firewall you could create a rule:

     

    Sources: IP1, IP2

    Services: Any

    Destination: Interface Networks Objects for VLAN 1, 10, 20, 30, 99, 150

    Action: Allow

     

    That would allow IP1 and IP2 to access every device on other VLAN subnets. Since UTM is a stateful firewall, you don't need to create rules allowing traffic back from the VLANs to those IPs, the above rule would suffice as long as the traffic is originated from IP1 or IP2.

     

    Edit: I recommend reading Rulz for some best practices and most common questions/issues you might have while setting up this environment. You are leaving a fairy simple configuration and adding some complexity, so this reading would definitely help you.

     

    Regards,

    Giovani

  • 0 in reply to giomoda

    Thank you very much indeed, everything is becomeing more and more clear and i will definitely read what you recomended, can't wait to mess up with the actual switch and router.

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?