Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VLAN Assigned to Interface of UTM

XChangingITXChangingIT Newbie ✭
edited March 15 in Mid Range Firewalls

Is there a way to assign a VLAN to an interface on the UTM? If I have 2 separate networks (VLAN10 and VLAN20) there seems to always have to be an additional network which is tied to the physical interface (native VLAN1). If I create 2 networks will there always have to be 2 networks + 1 for the management VLAN? If so do you assign a DHCP pool to the physical interface. I hope I'm making myself clear here.

thanks.

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

Answers

  • XChangingITXChangingIT Newbie ✭

    Oh interesting okay didn't know that was a possibility.

    I see you can't go back and change it to Unassigned but creating new interfaces will allow you to do what you're saying. Also, I would assume if you're using Sonicpoints this wouldn't apply since I believe you need a WLAN zone for them to work...?

    thanks for the quick reply!

  • XChangingITXChangingIT Newbie ✭
    I tried what you said and created an interface for an Access Point on X2 (Unassigned) then added VLAN 10 and VLAN20 to X2. None of the VLAN devices would connect until I assigned a zone to the X2 interface. The minute I added X2 to a LAN zone all the VLANs then connected. Is there anything I’m missing here? Do any rules have to be added to allow VLANs under an Unassigned interface to connect?

    Thanks again for your help.
  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 17

    @XChangingIT how does the configuration of the port at your network switch looks like where the X2 interface is connected to? If you need to assign a Zone/Subnet to the untagged portion of the Interface I assume the switch isn't configured correctly or your APs end up in that zone, which might be something you don't want.

    It all depends what you're wanna accomplish. Let's say your goal is having a Network each for AP Provisioning, Company WLAN and Guest WLAN. The Interface configuration in a simple scenario would look like this.

    Interface  VLAN  Zone           Subnet
    X2         -     Unassigned     -
    X2:V100    100   WIFIMGMT       192.168.0.1/24     (AP Provisioning, tagged switch port 100)
    X2:V101    101   WIFILAN        192.168.1.1/24     (Company WLAN, tagged switch port 101)
    X2:V102    102   WIFIGUEST      192.168.2.1/24     (Guest WLAN, tagged switch port 102)
    

    All of the above custom Zones are of type Wireless. You just need to make sure the Switch is configured accordingly.

    The configuration of the switch ports where the APs are connected to, have to be configured 100 untagged and 101+102 tagged, because the AP does not know anything about VLAN 100, therefore untagged.

    This is not SonicPoint specific, it's valid for every network device but in a non SonicPoint scenario I would need to use Zones of type wireless.

    --Michael@BWC

  • XChangingITXChangingIT Newbie ✭

    Hi,

    Actually I was testing this with a single AP connected directly to X2 no switch needed. I also have the AP set to Trunk Multiple VLANs and: "Allowed VLANs: 1,10,20." (shown in attached photo) They're Cambium APs in case you were interested.

    I was a little confused reading your comment because when you laid out the network line-by-line it says V100 switch port tagged - then a few lines down you say it should be untagged....? and I see where you mentioned the AP doesn't know anything about V100 therefore untagged but my AP does have the VLANs set so I would think perhaps my scenario is different than what you assumed?

    Also, FYI in that link you sent, for some reason, it doesn't recommend setting an interface to Unassigned.


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @XChangingIT sorry for the confusion, I was always under the assumption that there is an switch attached, my bad. The switch had to be configured tagged for the Port with X2 attached to it and untagged where the AP is connected to.

    There is no requirement to use a tagged VLAN for the AP provisioning, it's just the way I like to do it. Usually I have one or more dedicated interfaces with tagged VLANs for the different SSIDs and one VLAN for the AP management/provisioning.

    Always under the assumption there is a switch involved :)

    --Michael@BWC

  • XChangingITXChangingIT Newbie ✭

    Yea no problem I was just testing this out before adding another possible layer of confusion, a switch. :)

    Any idea why I couldn't connect to the VLANs while the interface was *Unassigned*?

    thanks again.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    If you mean that you cannot access the AP via the tagged VLAN 1? It might be related to VLAN1 itself, traffic needs to be tagged but your configuration does not tag the native VLAN on the AP.

    Not sure about VLAN 1, it might be handled in a special way.

    You can crank up a Packet Monitor and set an Interface Filter to X2 (and sub interfaces), this might show some dropped packets with further details.

    But at the end of the day, the simplest of all solutions would be a switch, tagged with let's say VLAN 5 for the port where X2 sits on and VLAN 5 untagged (PVID 5) where the AP is on. Not sure if you would even need to define the Native VLAN at the AP other than 1, because the whole traffic is untagged.

    --Michael@BWC

  • TalleyrandTalleyrand Newbie ✭

    You would need a switch to act as a "tagger".

    Basically... in this testing environment you want it so that the AP is plugged into a switch port that forces a tag onto ALL the traffic sent from the AP, whilst you config & test it. (if you insist in testing in this dangerous way.)

    Because if your AP is "open", that means any connecting client can connect & inject traffic directly into your firewall. , because you are basically "unbound" for all traffic flowing into VLAN 1 (untagged) , technically speaking if that is then bound to your network on vlan 1 , congratulations you just gave complete access to all your network & bypassed your FW for a potentially open WIFI ssid.


    you want to play about in this dangerous way, then use a hard wired computer, with a VLAN set to "whatever" , configure your "sonicwall" to get the DHCP over vlan working, to issue your computer an ip address, test everything.. THEN add in a switch and get that working, ensuring nothing is leaking or accessible you don't want. VIA a misconfigured sonicwall.

    THEN add in the ap.

    rinse and repeat...

    It did not work initially.... because it was doing EXACTLY what it was supposed to do., that is totally ignoring any untagged traffic from a device on a tagged vlan port.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    congratulations you just gave complete access to all your network & bypassed your FW for a potentially open WIFI ssid.

    Where are you getting this from?

  • XChangingITXChangingIT Newbie ✭

    @TALLEYRAND  are you implying untagged traffic is unsecure? I'm not really sure what you mean?

    I also didn't understand the comment ARKWRIGHT pointed out. Bypassing FW with open SSID...? You mean a guest network without a passcode?

    please explain further I dont understand most of what you said. thx

Sign In or Register to comment.