Ethernet VLAN

In order to connect Sophos UTM on AWS to the virtual LANs, the system requires a network card with a tag-capable driver. A tag is a 2-byte header attached to packets as part of the Ethernet header. The tag contains the number of the VLAN that the packet should be sent to: the VLAN number is a 12-bit number, allowing up to 4095 virtual LANs. In WebAdmin this number is referred to as the VLAN tag.

Note – Sophos maintains a list of supported tag-capable network interface cards. The Hardware Compatibility List (HCL) is available at the Sophos Knowledge Base. Use "HCL" as search term to locate the corresponding page.

To configure an Ethernet VLAN interface, proceed as follows:

  1. On the Interfaces tab, click New Interface.

    The Add Interface dialog box opens.

  2. Make the following settings:

    Name: Enter a descriptive name for the interface.

    Type: Select Ethernet VLAN from the drop-down list.

    Hardware: Select an interface from the drop-down list.

    Dynamic IP: Select this option if you want to use a dynamic IP address.

    VLAN Tag: Enter the VLAN tag to use for this interface.

    IPv4/IPv6 address: Enter the IP address of the interface.

    Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.

    IPv4/IPv6 default GW (optional): Select this option if you want to use a statically defined default gateway.

    Default GW IP (optional): Enter the IP address of the default gateway.

    Note – You can configure an interface to have an IPv4 and an IPv6 address simultaneously.

    Comment (optional): Add a description or other information.

  3. Optionally, make the following advanced settings:

    MTU: Enter the maximum transmission unit for the interface in bytes. You must enter a value fitting your interface type here if you want to use traffic management. A sensible value for the interface type is entered by default. Changing this setting should only be done by technically adept users. Entering wrong values here can render the interface unusable. An MTU size greater than 1500 bytes must be supported by the network operator and the network card (e.g., Gigabit interface). By default, an MTU of 1500 bytes is set for the Ethernet VLAN interface type.

    Default route metric: Enter the default route metric for the interface. The metric value is used to distinguish and prioritize routes to the same destination and is valid for all interfaces.

    Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP function is disabled (Off).This option is available on broadcast-type interfaces. When you switch it on, Sophos UTM on AWS will "attract" traffic on that interface for hosts "behind" it and pass it on. It will do that for all hosts that it has a direct interface route for. This allows you to build "transparent" network bridging while still doing firewalling. Another use for this feature is when your ISP's router just puts your "official" network on its Ethernet interface (does not use a host route).

    Asymmetric (optional): Select this option if your connection's uplink and downlink bandwidth are not identical and you want the Dashboard to reflect this. Then, two textboxes are displayed, allowing you to enter the maximum uplink bandwidth in either MB/s or KB/s. Select the appropriate unit from the drop-down list.

    Displayed max (optional): Here you can enter the maximum downlink bandwidth of your connection, if you want the Dashboard to reflect it. The bandwidth can be given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.

  4. Click Save.

    The system will now check the settings for validity. After a successful check the new interface will appear in the interface list. The interface is not yet enabled (toggle switch is gray).

  5. Enable the interface.

    Click the toggle switch to activate the interface.

    The interface is now enabled (toggle switch is green). The interface might still be displayed as being Down. The system requires a short time to configure and load the settings. Once the Up message appears, the interface is fully operable.

To show only interfaces of a certain type, select the type of the interfaces you want to have displayed from the drop-down list. To either edit or delete an interface, click the corresponding buttons.