Some time ago, I wrote an article giving an overview of how to configure VLANs on a Cisco Catalyst 3550. I did not go into detail on firewall configuration because this was not necessary for me at the time using a PIX 515e. However, things have changed on my network as they often do and we are now utilizing an Untangle firewall which does not currently support the use of VLANs. I have however found a workaround that functions perfectly in my environment without compromising security or efficiency.
One solution would be to revert back to a single subnet; however, we would lose the benefits of network segmentation that reduces collisions and optimizes our network performance. For the sake of this discussion, I am going to build upon the discussion in the previous article located here and only focus on the configuration of Untangle to meet the needs of the network designed in that article. It would be wise to review that article before continuing with this discussion.
The end result of the previous article was a network configured with four VLANs.
VLAN1 192.168.1.0 – This VLAN handles all traffic intended for the internet whether incoming or outgoing. No private network traffic occurs on this segment.
VLAN2 192.168.2.0 – This VLAN handles all inter-server communications. Only servers exist on this VLAN.
VLAN3 192.168.3.0 – All workstations are connected to this VLAN.
VLAN4 192.168.4.0 – This network was designed for guest access to internet resources. All traffic to other local subnets is blocked to the extent that users on this subnet have a similar experience to what they would have from any other internet connection in the world.
The problem arises in that the Untangle traditionally only has one IP on its internal interface. This causes the firewall to be able to communicate only with devices on the same subnet. There is, however, the option of configuring additional IP addresses for the interface. Rather than assigning a specific address for each subnet, we are able to configure the entire IP space in this area.
1. Log on to your Untangle Administration Portal and click on the Config tab. This can be done through a browser and does not need to be done on the local box. If you are unable to launch the client remotely, it is probably because you are coming from a different subnet and will need to configure the firewall locally.
2. Click on the Networking menu item.
3. Under the Interfaces tab, edit the internal interface.
4. In the top section next to IP Addresses, click Add.
5. Enter the network range for each subnet you wish to add including VLAN1.
6. Repeat steps 4 and 5 until all subnets have been entered.
7. Click on Save in the lower right corner of the window to save your settings.
If you have multiple public IP addresses, these will also need to be added individually on the External interface. Once this is complete and you have finished the instructions above, you can click on the Port Forwards tab and add the rules to allow traffic to flow to the appropriate services on your internal network.
At first glance, this configuration appears to be insecure because you are granting access to all VLANs from the one internal interface. Keep in mind that the rules created in the previous article control traffic routing between VLANs, so this is not really an issue. We are only telling the firewall which interface to communicate on for traffic directed to the Untangle.
That is all there is to it. Assuming you have followed these steps, you should be able to access the internet from any VLAN as well as to port forward traffic from the external interface to the appropriate service anywhere on your network without adversely affecting your VLAN configuration.