Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 5081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 - VLAN mode

vasileiosg

Hello,

 

I just convinced my company to buy 2 SG 310 in Active-Passive mode for a data centre we own. I realised though that i don't know how to set it up the way we want it to work. I was wondering if someone could give me some direction. For privacy and for simplicity, i will try to simplify the situation.

 

The 310 will be connected to WAN and to LAN.

From LAN it will connect to a switch (let's say Port 1). On the same switch i will also have two VLANs (e.g. 200 and 300) which let's say represent Port 2 (VLAN200) and Port 3 (VLAN300). 

The servers that are connected on Port 2 and Port 3 they have the SAME IP address (10.0.0.2) but of course different VLAN. This later part cannot be changed.

On Layer 3 i would assume Port 1 on the switch will be untagged but Ports 2 and 3 will be tagged on their VLANs. The question is how do i set the 310 up in a way that it can communicate with both devices even though they both have the same IP.

 

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I think this is the first time I'v ever  seen the need to link a host objet to an interface.

    You should use 2 fake IPs and DNAT them to the host objects.

  • 0 in reply to papa_

    There is always the first time for everything when you work in customer service :)

     

    The issue rises because i have 10 customers that they use each one of them a total of 10 different devices that they work together to create a system. The developers set this up as each device in a system to have the same IP. E.g. each load balancer should have IP 192.168.0.10, each physical server to have an IP 192.168.0.3 etc. etc.

     

    So I end up having 10 systems that they have 20 devices from which they all use the same range and same IP address.

     

    What i was looking for is to perhaps create virtual IP address for each VLAN that represents each network.

     

    How do i set up your idea? 

  • +1 in reply to vasileiosg

     

    With an 1.1 dnat from  a fake network to any of the play-1.xx networks you shout be able to access what you want

  • 0 in reply to papa_

    Thanks, even though i am not entirely sure how this is going to work. Since i don't have yet the 310s in place, i am using an appliance to do the configuration.

    Here is what i did:

    1. Interfaces
      1. Create interface per vlan using the same hardware
    2. Network definitions
      1. Create network definition where IPv4 is 192.168.0.0 and interface each of the previously created interfaces
      2. Repeat as above for each vlan
      3. create network hosts and bound them to each interface respectively
    3. NAT
      1. Masquerading
        1. Create a new rule from each network using interface internet (so they can get to the internet

    I am not entirely sure why should i create 1:1 NAT nor what i will achieve with this. I was thinking that for access to each device from the internet, i shall create a normal DNAT rule where traffic from is any, service as appropriate, going to internet address, should change destination to the ip address of the host. Sophos should know where to find it since when i created the host, i bounded to a specific adapter.

    Right?

Reply
  • 0 in reply to papa_

    Thanks, even though i am not entirely sure how this is going to work. Since i don't have yet the 310s in place, i am using an appliance to do the configuration.

    Here is what i did:

    1. Interfaces
      1. Create interface per vlan using the same hardware
    2. Network definitions
      1. Create network definition where IPv4 is 192.168.0.0 and interface each of the previously created interfaces
      2. Repeat as above for each vlan
      3. create network hosts and bound them to each interface respectively
    3. NAT
      1. Masquerading
        1. Create a new rule from each network using interface internet (so they can get to the internet

    I am not entirely sure why should i create 1:1 NAT nor what i will achieve with this. I was thinking that for access to each device from the internet, i shall create a normal DNAT rule where traffic from is any, service as appropriate, going to internet address, should change destination to the ip address of the host. Sophos should know where to find it since when i created the host, i bounded to a specific adapter.

    Right?

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML