I have a Sophos UTM 110 with devices connected to eth0, eth2 and eth3. The devices are configured to use VLAN 13. I found that I had to bridge eth0, eth2 and eth3 in order to allow the devices connected to those interfaces communicate using VLAN 13.
Note that the devices are hypervisors (ESXi) and virtual machines running inside of them will be communicating on a different VLAN. This allows me to use the ESXi servers for a security testing without worrying that the malicious software can undermine my ESXi hosts, or other virtual machines hosting web sites etc.
So here's the steps I took:
[LIST=1]
- Got the Sophos UTM 110 device (aka router)
- Configured public IPv4 address and verified I can connect to WebAdmin over eth1.
- Bridged eth0, eth2 and eth3
- Configured a VLAN 13 on br0, named Orion (aka the Constellation)
- Configured L2TP VPN
- Added firewall rule to allow all traffic from VPN Pool (L2TP) to the Orion Network (aka VLAN 13)
- Defined a DHCP server for the Orion Network (aka VLAN 13)
- Connected servers to router configured to use DHCP and VLAN 13.
- Servers reporting DHCP errors, sometimes getting an IP, but often reporting issues.
- Configured server to use static IP addresses 172.16.13.2, 172.16.13.3 and 172.16.13.4.
- Verify connection works by pining each server from router. This was done in parallel. Everything seemed ok.
- At home configure L2TP VPN on OS X 10.8.3.
- Connect to Sophos UTM 110 using VPN on OS X from home.
- Connect to servers over VPN from home. Intermittent issues; connection timeouts and disconnected when working on multiple machines at the same time.
- Open three terminal windows in OS X 10.8.3 and ping 172.16.13.2, 172.16.13.3 and 172.16.13.4 in parallel. Seems I can only ping to one device at a time, the other time out [Request timeout for icmp_seq 739]. Leaving it running for a while indicates that if ping works for one server, it fails for the other two. Every now and then, ping will start working for another server and then timeout on the one where it worked.
- SSH into each server (problematic due to intermitted disconnects)
- From within the SSH session, ping another server. Ping fails.
- From within the SSH session, ping router. Ping succeeds.
At this stage, no traffic to the internet is permitted, so I didn't even bother to ping Google or another external site.
Questions:
[LIST=1]
- Is creating a bridge to support a VLAN across eth0, eth2 and eth3 the right way to do this? It would have been easier if I could just specify the "Orion Network" to be spanning eth0, eth2 and eth3 like some other routers. But it doesn't seem to be possible using Sophos UTM.
- If creating a bridge is the right way to achieve this, is there something I'm missing configuration wise that prevents all three devices from being accessed at the same time (aka ping all 3 without time outs)
- If creating a bridge isn't the right way to achieve this, then how does one support a VLAN across multiple interfaces?
I know that usually one will connect another switch to eth0 which takes care of the VLAN, but at this stage I do not have enough space at the data centre to add another switch. In essence, I was hoping the Sophos UTM would be sufficient.
Sincerely,
Werner
This thread was automatically locked due to age.
