Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 4314 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN get's ip but no internet or connection to other vlan

Erik Nijssen

Hi All,

Since this week I am using the following setup.
UTM FW --> Unify switch --> Unify AP. 

Eth0 is WAN
Eht1 is LAN(192.168.1.1/24 DHCP)

Both are configured as type ethernet. Everything is working fine.
With my new setup I want to have a guest VLAN so I created an Ethernet VLAN on ETH1. VLAN 20 and dynamic IP4 turned off IP RANGE 192.168.5.1.
I created a DHCP server for the range and that is that.

On my unify controller I created a VLAN only network and a SSID that uses VLAN 20. 
On my Unify switch port 1 is connected to ETH1 and port 5 is connected to my AP. 

Both switch port profile is set to "all" so it acts as a trunk port. 
If I connect my mobile phone to the guest wifi I am getting an ip-address from DHCP server and I can see the lease on UTM and that's about it. I can't connect to the internet and I can't connect to my other devices which are connected to LAN. 
If I connect my mobile phone to my normal home wifi SSID I have internet and I can see al the devices in IP range 192.168.1.1/24. The other SSID's don't use a VLAN tag because ETH1 is not a VLAN.

I configured a FW rule Guest VLAN NETWORK --> ANY --> EXTERNAL and I even tried ANY but I can't seem to get it going.
What am I doing wrong?



This thread was automatically locked due to age.
  • +1

    For internet to work you need a Masquerading rule for VLAN20 => External 

    If you want to enable VLAN20 to connect to your LAN and/or vice versa you need FW rules to allow the traffic (but I don't see why you would want a guest VLAN to have access to the normal LAN).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    I made a Masq rule but I still can't access the internet: 

    I tried to ping my default GW after I get an IP-address and about 80-90% is getting lost so my guess is something on my switches goes wrong.

  • 0 in reply to Erik Nijssen

    I'm afraid I have no experience with Unify devices. All in all you should have the right configuration in your switches.

    Since your UTM has Eth1 for both untagged traffic (the normal traffic there always was) and tagged traffic (the new Guest VLAN). At least the VLAN's 5 and (probably 1 for untagged traffic) should be in the Trunk (beware tough that VLAN1 is reserved in UTM so you can not use it tagged!)

    I think your AP itself is untagged (management) and only the SSID is tagged. In that case you should also configure the default VLAN for untagged traffic in the switch

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Ok issue has been solved and was an SSID setting in the unify.

    I can now move on to the next issue:-) My FW Rule says Guest vlan -- Any -- Internal will be dropped/rejected(tried both) but I can still connect to my normal LAN.

  • 0 in reply to Erik Nijssen

    Probably due to web filtering (I guess you can reach internal web servers). If that is the case then you need to make adjustments. You could ask Balfson who maintains a document how to setup web filtering with a guest network that shouldn't be allowed to reach the normal LAN.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi Apijnappels,

     

    no I'm not using web filtering(yet) but I figured it out. It was a conflicting FW record and now everything is working as expected :-)

    Thank you for all your help!

Unfiltered HTML