This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need advice on static routing

Hi there,

During the installation of Sophos UTM I chose IP address for an internal interface from the VLAN-1 network (172.16.0.2) and IP address for the WAN interface (123.136.3.22), which was given to us by our ISP. Please refer to the diagram below.

Right now computers from VLAN-1 (172.16.0.0/16) can browse Internet through Sophos UTM.

We also have two additional VLANs for wireless computers.

Could you please advice on what exactly needs to be added in Sophos UTM so that the users from wireless network (VLAN-2 and VLAN-3) could browse the Internet too?

I would assume that the static routes need to be added in Sophos UTM. A bit confused with the option of the route type - interface/gateway route?! Have no idea what blackhole route is, so I might not need to use it for my topology.

Besides the static route, do I need to create any firewall rules, NAT or masquerading rules?

My Sophos UTM has few spare interfaces. Would you recommend creating new dedicated interfaces for VLAN-2 and VLAN-3?  

Thanks in advance. 



This thread was automatically locked due to age.
  • Hi Leon,

    Three things needs to be configured:

    1. Firewall Rule - VLAN 1, VLAN 2, VLAN 3 > ANY > WAN

    2. NAT-Masq rule - VLAN 1, VLAN 2, VLAN 3 > External (WAN Address)

    3. VLAN 1, VLAN 2, VLAN3 in Allowed Network in DNS global settings 

    If Web Protection is enabled then do not forget to add the new VLAN networks in the Allowed network.

    Hope that helps :)

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thank you Sachingurung for your help.

    1. Firewall rule.

    During the initial setup of Sophos UTM, wizard automatically created the following firewall rule:

    Sources Services Destinations

    Web Access Network Group

    (Internal Network)  

    Web Surfing Group

    (HTTP, HTTP Proxy, HTTP WebCache, HTTPS)

    Any

    I have created two new network definitions objects. One is for wireless VLAN-2 and other for wireles VLAN-3.

       

    Now, I need to create similar rules as above for wireless network VLAN-2 and wireless network VLAN-3. Would it be easy just to add VLAN-2 and VLAN-3 network definition objects to the source of the existing rule? Did I chose interface for VLAN-2 correctly? Or, it needs to be External (WAN)?

    2. NAT-Masq rule.

    This masquerading rule was created automatically during initial installation of Sophos UTM:

    As sachingurung suggested, I need to create two additional masquerading rule for VLAN-2 and VLAN-3. And one of them (in red square box) will look like that:

    3. Allowed Network in DNS global settings

    Is this what needs to be done? Haven't put the other VLAN-3 there just yet.

    4. Web Protection

    We will be using web filtering, so I guess VLAN2 and VLAN3 will need to be added to the Allowed Networks list.

    I am pretty sure we use to have static routes entries for 192.168.0.0/16 and 172.16.0.0/16 on our old firewall. I am a bit surprised that Sachingurung didn't say anything about that. So, just to be 100% sure, do we need to add static routes in Sophos or not?

    Thanks again for your help. 

  • Hi Leon,

    Static routing is only required if the UTM does not have direct connection (via an interface/vlan) to a subnet that would talk through it. It's known as subnet awareness, if a subnet is on the other side of a core router you will need to tell the UTM via a static router to go to the core router to get to that subnet.

    Because your vlans are directly attached to the UTM via a trunk you will not require static routes as it will be subnet aware.

    Bit of advice on the host definitions, don't bind definitions to interfaces as this can cause a major headache to debug if you have routing issues :)

    Hope that helps

    Emile

  • Thank Emile very much for such a clear and logical explanation.

    In my case VLANs are not directly attached to the UTM via trunk. Actually, UTM is just "plugged" onto a core switch on the port belonging to the VLAN-1 (172.16.0.0/16). Obviously, UTM doesn’t see any traffic coming from VLAN2 and VLAN3. To fix the problem, port on a core switch (where the UTM in plugged) needs to be reconfigured to be a trunk link, right? Or, if we can't do anything on a core switch, we need to create explicit static routes for 192.68.0.0/16 and 172.16.0.0/16 on UTM?

    As I have mentioned before, my UTM has an extra physical interfaces which I can use to for VLAN-1 and VLAN-2. Would you recommend doing this? Or, this is overkill and not necessary.

    To Emile: Sorry for a newbie question. What do you mean by saying "don't bind definitions to interfaces"? Should I choose <<Any>> instead of Internal or External interface option?

    Thanks again for all your help

  • Hi Leon,

    In answer to your first question I would rather set up the core switch to trunk directly to the UTM, because then this means you can do cool management and cross subnet protection because the core switch will pass cross subnet traffic but the UTM and it will actually manage and scan using IPS the cross subnet traffic (if you do this, remember to create firewall rules). If you don't have the VLANs trunked via the switch to the UTM and the switch is responsible for the cross VLAN/subnet traffic then yes you will have to set static gateway routes for all (or 1 with the VLAN subnets grouped in a network group) of the VLAN subnets with the target gateway as the core switch.

    You don't have to untag the traffic and pass it to the UTM from the core switch via separate cables but you can if you'd like, but if you trunk them from the core switch to the UTM, you can just create extra virtual VLAN interfaces by going to Interfaces & Routing > Interfaces > New Interface of Type Ethernet VLAN and put the tag ID there.

    When creating network definitions under Definitions & Users > Network Definitions > Editing a Definition you have already seen the advanced subsection which has the option to bind the definition to an interface, I really advise unless absolutely necessary never to do that because it causes massive headaches when trying to debug. The only time I can foresee it ever being used is if you have potential subnet overlap and you need to bind the definitions so that communications for that definition will go out via a specific interface (it effectively creates an Interface Route). I was burnt by this when a customer called me up with their entire network broken because some bright spark bound the definition of the local subnet accidentally to the WAN interface. Only worked it out because the firewall log had the WANs interface MAC address as the source not the local interface!

    Hope that makes sense!

    Emile

  • In your very first picture you bound the Teachers VLAN2 to the internal interface (you even marked it red). That's what Emile means with do not do this unless really necessary.

    Furthermore you are using VLAN1 this could be a problem since VLAN1 is reserved in UTM for wireless traffic. Try to not use tagged VLAN1 but if possible use a separate interface on the UTM so you don't need to have a VLAN1, otherwise I advise you to change VLAN1 to something different.

    I would also (just as Emile explained) try to connect all three subnets to the UTM directly and have the UTM route the traffic between the VLAN's. If not, then just add a static route to the other VLAN's and use the VLAN switch as its gateway.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.