This article explains how to create an Ethernet VLAN interface on Sophos UTM.
Ethernet VLAN interfaces are often used on internal, managed networks, that are segmented into VLANS. When the UTM needs to connect to more than one VLAN, it may be preferable to pass more than one VLAN to the UTM over a single trunk port. This requires configuration on the switch(es) that the UTM connects to, and at minimum, the port the UTM is connected must be configured as a trunk port, and it must be a TAGGED member of each VLAN that you want the UTM to use
Use this interface type when you:
Do NOT use this interface type if
- are connecting to a tagged VLAN on a switch trunk port.
- need to directly connect UTM to more networks than it has physical Ethernet ports, and you also have a managed, VLAN capable switch to connect with.
- you are connecting to an UNTAGGED VLAN switch port.
- you are not connecting to a tagged VLAN.
This article focuses on a single interface type. To learn more about other interface types, please view KB article 118899
Known to apply to the following Sophos product(s) and version(s)
What To Do
Interfaces may be added and edited in the WebAdmin interface under: Interfaces & Routing | Interfaces | Interfaces.
- Click the New Interface button to add a new interface.
- In the Type field, select: Ethernet VLAN
- The following image and table outline the options available, and how to fill them out:
|Interface Image ||Configuration Options |
Name: This is the name that will be shown throughout the UTM configuration, wherever this interface is referenced. Names that indicate, or are specific to, purpose, are often the most useful. For example names like: Internal, DMZ, Guest, External. or External-XO, External-ATT, are purpose specific names that make it clear to someone who didn't create the object, what purpose it serves.
Hardware: Unused Ethernet ports, or ports that have been used in other Ethernet VLAN interfaces will be shown here. If none are listed, then all interfaces are presently configured. UTM appliances configure eth3 by default, for HA/Clustering. If HA is not needed, and HA is not disabled, eth3 may be made available on UTM appliances, by disabling HA under Management > High Availability > Configuration.
VLAN Tag: This is the VLAN ID of the tagged or trunked VLAN being connected to. This VLAN tag must be trunked on the switch port that the selected ethernet port is connected to.
IPv4 Address: This is the IPv4 address that you wish to assign to the UTM on the selected port
Netmask: This is the subnet of the IPv4 address assigned above. Internal subnets are quite commonly set to /24. If the IP address is assigned by the ISP, then the subnet mask given by the ISP must also be used.
IPv4 Default GW: If the interface is a connection to the internet, then a default gateway IP may be set by enabling this option. If this is not an internet connection, then this option does not normally need to be enabled.
Default GW IP: This field is only available if the checkbox above is enabled. The default gateway IP is the address of the next hop in the IP's subnet, that is able to send traffic to the internet. This should be provided by the ISP or network administrator.
Comment:(Optional) This is a free text field, where brief comments may be recorded
MTU: The default value of 1500 is the standard value for internet traffic. It may be appropriate to change this when connecting to internal networks using Jumbo frames, or to ISPs that require smaller MTU values.
Proxy Arp: This should normally be left disabled, though it may be used in special circumstances, to allow hosts on one network to resolve the MAC address of machines on another network.
Displayed max: The displayed max value is a numeric field that is used for display purposes only. Entering the correct value in this field to match the available bandwidth provided on this link, allows the UTM to show accurate percentage graphs for each interface on dashboard. This has no impact on network behavior, as it is only used for display purposes.