VLAN and DHCP

[mason736]

So I was able to get Sophos XG up and running after much trial and tribulation. While building out the new firewall rules, I decided it was time to upgrade my wireless network as well.

I ordered a few Ubiquiti APs, and will run their controller in a VM. My question is, I want to run a the wireless traffic on a separate VLAN or subnet. If I run a VLAN for the wireless, how do I configure the wireless clients with auto DHCP?

Currently my DNS and DHCP are running in Windows Server 2012, rather than on Sophos. Do I need to create a new DHCP scope?

 

[Pete L.]

You have various options - You can get the IPs from the Controller, from your DHCP Server. If you are going to put them in a different VLAN you should use a different scope / subnet. You should also be able to get the IPs from the Firewall itself (different scope still for that VLAN).

 

[JimPhreak]

I have two Ubiquiti UniFi AC AP's that I run multiple VLANs (WiFi-Secure & WiFi-Guest) on. I have the VLANs configured on my firewall (pfSense) which is where the DHCP leases get handed out.

One thing you can do is us an ip-helper configured on your switch (if it's managed) to point any devices in a specified VLAN towards your Windows Server to get a DHCP address.

 

[mason736]

If someone could help me I'd appreciate it. I spend literally 3 hours tonight trying to get my VLANs to work, with no success. I configured the VLAN - VLAN 10, according to the sophos XG guide, and created the appropriate firewall rules, I think, based on a number of forum post.

I have a Cisco SG200-50 switch I'm using to create the VLAN, but no matter how I configure them, tagged/untagged, general/trunk/access, I cannot get any data to pass between VLAN 1 and VLAN 5.

I have 2 ports I wanted set to VLAN 5, to enable my wireless APs to be on a different VLAN. I also figured I would need to enable the VLAN on the uplink port to Sophos, to capture the VLAN packet, however nothing i have tried works, and I'm really frustrated by it.....

I read a number of posts about using IP Helper in the switch to point it to the DHCP server, however the Cisco SG200 is a layer 2 switch, and that option is not available from what I've seen. Even being a layer 2 switch, shouldn't the layer 3 work be handled by Sophos?

Thanks

 

[DavidRa]

Suggest we start from the very beginning, it's a very good place to start.

VLANs are your layer 2 segmentation - a subnet must be wholly contained within a VLAN, as the subnet operates at layer 3. They can be port based VLANs, where a specific port on a layer 2 switch is assigned to a particular VLAN, or tagged, where the endpoint can select which VLAN to use for traffic (but which is still controlled by the list of permitted VLANs on the layer 2 switch).

Note that unmanaged switches are effectively layer 1 devices and so whatever configuration you assign to the smarter switch port applies to all the "dumb" switch ports.

It sounds to me like you want the two APs to be on an isolated VLAN, which you've defined as VLAN 5. That's fine, the numbers are arbitrary. I would recommend that you troubleshoot by using a pair of wired devices to ensure they communicate OK. In Cisco speak, a port-based VLAN with no smarts on the end device is usually configured as switchport mode access; switchport access vlan 5. The endpoint device cannot "escape" VLAN 5.

As for the connection to your Sophos, it sounds like you're using a single cable to carry more than 1 VLAN. Again, no problem. IIRC (this is the end of my Cisco knowledge) a port in General mode will have a native VLAN and also accept tagged packets - so one device with a single physical cable can be on multiple VLANs with appropriate IP addresses. A trunk port, however, expects all packets to be already tagged to a VLAN (someone can correct me if I'm wrong here). Your general port will accept tagged packets on permitted VLANs, and any untagged packets will be tagged and untagged as needed by the switch; those "untagged" packets will be on the native VLAN.

Normally we don't use VLAN1, because packets specifically on VLAN1 are indistinguishable from those not tagged (as I undserstand it anyway). So a device on VLAN1 can potentially hop VLANs - which is a security risk. Also, you mentioned that you configured Sophos with VLAN 10, but your APs are on VLAN 5. I think this might illustrate part of what's going wrong.

So here's what my stab in the dark switch config might look like - I don't have a Cisco handy to check syntax but I trust it will suffice for you:

Sophos on port 2
AP1 on port 3
AP2 on port 4

interface gi0/2
switchport mode general
switchport general pvid 1
switchport general allowed vlan add 5 tagged
spanning-tree portfast
end
interface gi0/3
switchport mode access
switchport access vlan 5
spanning-tree portfast
end
interface gi0/4
switchport mode access
switchport access vlan 5
spanning-tree portfast
end

Your Sophos needs an interface on VLAN 1 (Eth0?) and a tagged interface on 5 (note it matches) - configure your IP addressing and rules appropriately.

Now as for DHCP, you'll need to do one of two things:
* Configure DHCP forwarding (DHCP Helper) on Sophos to forward DHCP from VLAN 5 to the DHCP server on VLAN 1, confgure a scope for VLAN 5 on the DHCP server;
* Configure Sophos as DHCP server for VLAN 5.

Hope this helps.

 

[mason736]

Thanks for the help, I'll look at in the morning.

For reference, here are the options for spanning tree by port:


Also, here are the settings for the VLANs by port:

 

[DavidRa]

Right so for the APs:

Spanning Tree: Edge; other settings as shown
Ports: PVID = 5 (untagged member of 5)

For Sophos:
Spanning Tree: Edge; other settings as shown
Ports: PVID = 1 (untagged member of 1, tagged member of 5)

 

[mason736]

Do I need to modify the frame type, or just keep admit all?

 

[DavidRa]

For the APs, I missed saying they are Access mode VLAN 5, and those tagging options should disappear.

For the Sophos port, admit all (that way the untagged packets get assigned VLAN 1 and the tagged packets for VLAN 5 remain there.

 

[mason736]

I have my settings exactly as you say, however I cannot get connected to my main network, VLAN 1. In addition, I created a DHCP relay in Sophos, to forward to my DHCP server for address leases.

The only way I get get traffic through the ports is if I change the AP ports to General, Untagged, and change the PVID to 1, I can connect to the network, however it gets a DHCP lease from my primary 192.168 network, not the VLAN 10.10 network. However, the NIC does show both gateways, 192.168.1.1 and 10.10.10.1.

 

[mason736]

With the settings the way they are supposed to be, the NIC on my machine only gets a dummy IP of 169.54.175.0 with subnet mask of 255.255.0.0 and gateway of 10.10.10.1.

I think that means its hitting the gateway, however not getting any further.

 

[mason736]

I'm not really sure what to do at this point....possibly pick up another switch? I don't know how else to make the VLANs work. I'm not sure if the issue is with the switch or Sophos....

 

[namike]

I would simplify things further and configure your box you are testing from with a static IP on each VLAN (worry about DHCP after you verify things are working).

You need ensure you can ping your default gateway from both VLANs. Your default gateway should be a device that is able to handle layer 3, since your switch is a layer to.

If you are going to use a trunk port, you will need sub interfaces on your Sophos and then tag each individual sub interface to a particular VLAN. This is called "router on a stick".

 

[mason736]

Here are my settings current that aren't working:

Cisco SG200-50 switch:



Port 9 is the VLAN Port


Port 49 is the uplink to router (Sophos), and is set to Trunk:
VLAN 1 (Native) Settings:




VLAN Settings by Port:




Sophos Settings:

I created a new interface, 1.5 off of the main LAN interface:




Firewall Rule:

 

[mason736]

HOST IPs for Firewall Rules:

 

[mason736]

With this configuration, if I turn off my main ethernet connection, and just use the VLAN connection on my PC, and set a static IP in the range of the VLAN, in this case. 10.10.10.5, I get this:

 

[DavidRa]

Let's start even simpler then. Lets put two ports on VLAN 5 as you've done for port 9 - say we configure port 10. Connect a wired device to each (A and B) and assign them IP addresses 10.10.10.11/24 and 10.10.10.12/24. Disable the firewall on each device. Can they ping each other? Can they ping Sophos or can Sophos ping them?

If A can ping B and B can ping A, the VLAN works on ports 9 and 10.
If Sophos can ping A or B but neither can ping Sophos, your trunk works, double-check other configuration (firewalls, typos).
If Sophos can ping A and B but neither can ping Sophos, your VLAN and trunk are fine - look at your firewall configuration
If Sophos cannot ping A or B (and the reverse, A and B cannot ping Sophos) but A and B can ping each other, it's either Sophos or switch port 49 configuration.

Next, you should be able to view the MAC address table somewhere - are your two wired machines and the Sophos showing present in VLAN 5?

Can you assign a different physical interface to the Sophos to test your firewall config? Is Sophos a VM and does the host need to be involved in the VLAN configuration (e.g. ESX port groups, Hyper-V adapter VLAN tags)?

 

[mason736]

THANK YOU!!!!

It's working flawlessly now. Turns out, the issue was with HyperV. I had to create a second external vnic for the sophos vm, and assign it to vlan5. One I did that, and modified the rules accordingly, everything is working.

Thanks again for all your help. It was very much appreciated.

 

[NSKA]

Out of curiosity what OS are you running the Unifi Controller on? Also the person who commented they had pfsense as their router who is your ISP?

 

[mason736]

Out of curiosity what OS are you running the Unifi Controller on? Also the person who commented they had pfsense as their router who is your ISP?

I'm running the controller on a Windows Server 2012 r2 vm, that I use for backup and other tasks. I had to ssh into the devices to manually set them to look at my controller, as its across a VLAN.