VLAN Assigned to Interface of UTM
XChangingIT
Newbie ✭
Is there a way to assign a VLAN to an interface on the UTM? If I have 2 separate networks (VLAN10 and VLAN20) there seems to always have to be an additional network which is tied to the physical interface (native VLAN1). If I create 2 networks will there always have to be 2 networks + 1 for the management VLAN? If so do you assign a DHCP pool to the physical interface. I hope I'm making myself clear here.
thanks.
Category: Mid Range Firewalls
Tagged:
0
Best Answer
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
@XChangingIT if you need to create tagged VLAN Interfaces it's described over here:
If you leave the physical Interface Unassigned (not selecting any Zone) there will be no additional network (untagged VLAN).
--Michael@BWC
0
Answers
Oh interesting okay didn't know that was a possibility.
I see you can't go back and change it to Unassigned but creating new interfaces will allow you to do what you're saying. Also, I would assume if you're using Sonicpoints this wouldn't apply since I believe you need a WLAN zone for them to work...?
thanks for the quick reply!
Thanks again for your help.
@XChangingIT how does the configuration of the port at your network switch looks like where the X2 interface is connected to? If you need to assign a Zone/Subnet to the untagged portion of the Interface I assume the switch isn't configured correctly or your APs end up in that zone, which might be something you don't want.
It all depends what you're wanna accomplish. Let's say your goal is having a Network each for AP Provisioning, Company WLAN and Guest WLAN. The Interface configuration in a simple scenario would look like this.
All of the above custom Zones are of type Wireless. You just need to make sure the Switch is configured accordingly.
The configuration of the switch ports where the APs are connected to, have to be configured 100 untagged and 101+102 tagged, because the AP does not know anything about VLAN 100, therefore untagged.
This is not SonicPoint specific, it's valid for every network device but in a non SonicPoint scenario I would need to use Zones of type wireless.
--Michael@BWC
Hi,
Actually I was testing this with a single AP connected directly to X2 no switch needed. I also have the AP set to Trunk Multiple VLANs and: "Allowed VLANs: 1,10,20." (shown in attached photo) They're Cambium APs in case you were interested.
I was a little confused reading your comment because when you laid out the network line-by-line it says V100 switch port tagged - then a few lines down you say it should be untagged....? and I see where you mentioned the AP doesn't know anything about V100 therefore untagged but my AP does have the VLANs set so I would think perhaps my scenario is different than what you assumed?
Also, FYI in that link you sent, for some reason, it doesn't recommend setting an interface to Unassigned.
@XChangingIT sorry for the confusion, I was always under the assumption that there is an switch attached, my bad. The switch had to be configured tagged for the Port with X2 attached to it and untagged where the AP is connected to.
There is no requirement to use a tagged VLAN for the AP provisioning, it's just the way I like to do it. Usually I have one or more dedicated interfaces with tagged VLANs for the different SSIDs and one VLAN for the AP management/provisioning.
Always under the assumption there is a switch involved :)
--Michael@BWC
Yea no problem I was just testing this out before adding another possible layer of confusion, a switch. :)
Any idea why I couldn't connect to the VLANs while the interface was *Unassigned*?
thanks again.
If you mean that you cannot access the AP via the tagged VLAN 1? It might be related to VLAN1 itself, traffic needs to be tagged but your configuration does not tag the native VLAN on the AP.
Not sure about VLAN 1, it might be handled in a special way.
You can crank up a Packet Monitor and set an Interface Filter to X2 (and sub interfaces), this might show some dropped packets with further details.
But at the end of the day, the simplest of all solutions would be a switch, tagged with let's say VLAN 5 for the port where X2 sits on and VLAN 5 untagged (PVID 5) where the AP is on. Not sure if you would even need to define the Native VLAN at the AP other than 1, because the whole traffic is untagged.
--Michael@BWC
You would need a switch to act as a "tagger".
Basically... in this testing environment you want it so that the AP is plugged into a switch port that forces a tag onto ALL the traffic sent from the AP, whilst you config & test it. (if you insist in testing in this dangerous way.)
Because if your AP is "open", that means any connecting client can connect & inject traffic directly into your firewall. , because you are basically "unbound" for all traffic flowing into VLAN 1 (untagged) , technically speaking if that is then bound to your network on vlan 1 , congratulations you just gave complete access to all your network & bypassed your FW for a potentially open WIFI ssid.
you want to play about in this dangerous way, then use a hard wired computer, with a VLAN set to "whatever" , configure your "sonicwall" to get the DHCP over vlan working, to issue your computer an ip address, test everything.. THEN add in a switch and get that working, ensuring nothing is leaking or accessible you don't want. VIA a misconfigured sonicwall.
THEN add in the ap.
rinse and repeat...
It did not work initially.... because it was doing EXACTLY what it was supposed to do., that is totally ignoring any untagged traffic from a device on a tagged vlan port.
congratulations you just gave complete access to all your network & bypassed your FW for a potentially open WIFI ssid.
Where are you getting this from?
@TALLEYRAND are you implying untagged traffic is unsecure? I'm not really sure what you mean?
I also didn't understand the comment ARKWRIGHT pointed out. Bypassing FW with open SSID...? You mean a guest network without a passcode?
please explain further I dont understand most of what you said. thx