In May I posted a tutorial for running a “router on a stick” with Cisco Router, Switch and HP Switch. Today I will show you to replace the Cisco Router with a Sophos UTM to route between different VLANs.
First we will connect a Sophos UTM interface (in our example eth3) with our switch environment (switch config example @ http://networkguy.de/?p=177). Now we can configure multiple “Ethernet VLAN” interfaces with a vlan tag like this (networks for marketing and sales):
at the end of this you will see two new interfaces:
this will be the default gateways of those networks. You can configure a DHCP Server scope within the Sophos UTM or on your primary DHCP server with DHCP relay function at the “network services”. Keep in mind that you need to add marketing, sales and your servernetwork in the DHCP relay networks, otherwise no DHCP broadcast message is directed via unicast to your selected DHCP server.
After this you can configure firewall rules like this:
As the most firewalls, the Sophos UTM (based on a Linux OS; using iptables) is working with top-down-first-match. In our example I allowed Marketing and Sales network to use windows shares and make NTP and DNS lookups. To access the internet, I configured a rule that they can use Web Surfing protocolls to the internet. Use the network definition “Internet IPv4” and/or “Internet IPv6”. This definition means, that the can go through every interface that has a default gateway (mostly your WAN line). For accessing the internet you also need to configure NAT and secure them via Web Protection like this:
I hope I could cleary explain how to configure interfaces running on VLANs. You can use this mostly in case your Sophos UTM device hasn’t enough network ports.