Jump to content
RESET Forums (homeservershow.com)
yud

Sophos UTM on ESXi on N54L with one physical NIC

Recommended Posts

yud

Hi,

 

I have just discovered the existence of Sophos UTM Home Edition (yes, been living under a rock...) and it looks fantastic.

 

It is already setup in an ESXi VM on my N54L but not in production yet and I need some advice.

 

My plan is to have it sitting between a cable modem (in bridge mode) and the rest of my network, acting as router, firewall, web filter, etc.

 

What I'm not sure about is how to setup the NIC's because my Microserver only has one physical NIC.

 

I have one virtual NIC with a LAN IP address, working fine. I can connect to the webmin and manage the UTM.

But I'm not sure how to setup the WAN NIC. If I set it up for DHCP will it get the IP address from my ISP? The physical NIC is connected to a Cisco SG-200 gigabit switch. Do I need to setup a

trunk and a vlan on the Cisco switch?

 

Can anyone please point me to an easy to follow guide for setting up such network for the UTM on ESXi (I'm good with networking but have very little experience with trunking and vlans).

 

Thanks!

Edited by yud
  • Like 1

Share this post


Link to post
Share on other sites
ikon

For a router at the edge of my network I have a 2nd physical NIC. I want a physical separation between the Internet and my LAN: one Ethernet cable leading to my modem and the other to my LAN switch.

Share this post


Link to post
Share on other sites
oj88

Though I would agree that a physical separation is best, having them logically separated using VLANs should work. Cisco calls it "router on a stick". It can fulfill the function of a LA/WAN gateway with multiple virtual interfaces using just a single physical NIC, but this approach is usually only done for very light duty or on non-production environments for two things:

 

Security - Unless you mess up the switch or ESXi configs or plugged in the wrong cable to the wrong port, there's absolutely no possibility for traffic to 'cross' between VLANs. The separation is more of an added security in case mistakes I mentioned above happens.

 

Performance - Well, a single NIC can physically only do so much when it's handling both ingress and egress. Note that each packet will have to pass through it twice... every time. So if you're transferring a file from one VLAN to another at 20mbps, the actual throughput on the NIC is 40mbps or whereabouts.

 

I haven't touched ESXi but at a very high level, I reckon you would need two or three VLANs (LAN, WAN, and if you have to, Host Mgt). You need to have two virtual switches (one each for WAN and LAN) and trunk them to the physical NIC. You then configure VLANs on the Cisco switch. For example, make Port 1 a trunk and have the WAN come out of Port 2 and LAN on Port 3.

Share this post


Link to post
Share on other sites
ikon

Mistakes like you mention oj88 are definitely part of the reason I prefer physical NICs. I call these 'tripping over the power cord' mistakes: nobody does them on purpose, but human beings are klutzy; why take the chance? Also, if somehow I find myself in the situation where my LAN is under attack from the Internet, I can easily disconnect by physically unplugging the cable.

  • Like 1

Share this post


Link to post
Share on other sites
yud

Thanks for all the replies.

 

Given that I cannot install a 2nd physical NIC (no spare CPI slot) should I give up using UTM and just stick to my Asus router? I really like some of the features the UTM offers. And I really don't want to run another physical machine (noise, power consumption, space, etc).

 

Any ideas?

 

 

 

Sent from my SGS 'Droid using Tapatalk

Share this post


Link to post
Share on other sites
ikon

Given that one of the NICs is for the Internet, you could easily use a USB NIC for it. Even USB2 will have way more speed than your Internet connection.

 

Do you mind saying what you have in the 2 PCIe slots in the N54L?

Share this post


Link to post
Share on other sites
schoondoggy

The 54l has a x16 and x1 slots. Are both populated? There are a few x1 dual port NICs.

Share this post


Link to post
Share on other sites
ikon

The 54l has a x16 and x1 slots. Are both populated? There are a few x1 dual port NICs.

 

Exactly.

Share this post


Link to post
Share on other sites
yud

Given that one of the NICs is for the Internet, you could easily use a USB NIC for it. Even USB2 will have way more speed than your Internet connection.

 

Do you mind saying what you have in the 2 PCIe slots in the N54L?

Didn't think of a USB NIC! Thanks!

(I love this forum...)

 

I have a P410 in one PCI slot and a RAC in the other.

Started contempalting removing the RAC and installing a NIC. But I will first explore the option of a USB NIC.

 

Does anyone know of a USB NIC which will work with ESXi?

Share this post


Link to post
Share on other sites
yud

Having second thought I'm now considering removing the RAC and installing a gigabit NIC.

 

I know it's been covered previously but can anyone remember/know which gigabit NIC can fit in the x1 PCIe slot? (I already have the P410 in the x16 slot)

 

EDIT: preferably dual port

Edited by yud

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...