WAN interface with VLAN TAG

Hi MarcoTeixeira,

To configure vLAN on any interface first you need to assign any Network Zone and select IP Assignment to DHCP. Now you can go and add vLAN interface.

Kindly refer KBA

Regards, Ronak.

This KBA is for VLAN on the LAN interface.

We have the same issue. Our ISP requires a VLAN tag on the WAN interface.

I have configured a VLAN interface on the physical WAN interface - this has the STATIC IP details and the VLAN TAG

On the WAN link manager this connects fine.

However, the WAN port has been configured as WAN using DHCP - this shows as not connected in the WAN link manager.

No traffic flows from the WAN port onto our LAN ? Do we need to configure further firewall rules to allow this to happen.

This KBA is for VLAN on the LAN interface.

We have the same issue. Our ISP requires a VLAN tag on the WAN interface.

I have configured a VLAN interface on the physical WAN interface - this has the STATIC IP details and the VLAN TAG

On the WAN link manager this connects fine.

However, the WAN port has been configured as WAN using DHCP - this shows as not connected in the WAN link manager.

No traffic flows from the WAN port onto our LAN ? Do we need to configure further firewall rules to allow this to happen.

Hello Mark Stapleton

You will need firewall rule for every traffic. If you want to allow traffic from one zone to other or one interface to another.

Regards, Ronak.

But both the VLAN and the WAN are on the same Physical port ?

Can you provide me with an example ?

You can use PPPoE as a mode with DHCP and "Preference IP" plus VLAN ID.

This won't work as we only have Static IP details from the ISP (no PPoE login)

Hi Mark ,

The configuration shown below should work.

Hello Mark Stoker

Assume you have configured on port2 as following.

Port2 as LAN Zone with IP 192.168.10.1/24

Port2 with VLAN 20 as LAN Zone with IP 192.168.20.1/24

Port2 with VLAN 30 as WAN Zone with IP as 10.10.10.10/24 and Gateway as 10.10.10.1

Scenario 1.

Allow traffic between 192.168.10.X to 192.168.20.x 

Src Zone: LAN / Src Net: 192.168.10.x/24

Dst Zone: LAN / Dst Net: 192.168.20.x/24

Service: Any

Scenario 2.

Allow traffic from LAN 192.168.10.x and 192.168.20.x  to WAN.

Src Zone: LAN / Src Net: Any

Dst Zone: WAN / Dst Net: Any

Service: Any

Rewrite Source Address: Enable

Primary Gateway: WAN-Link Load Balance

Similar you can also create business rule to forward WAN to LAN traffic.

Regards, Ronak.

Doesn't really answer my question !

Hi Mark,

Didn't understand all of your questions, but hope below could help a little bit with your case.

(1) Configure the vlan interface on top of WAN physical interface.
      The config result is like below,
     

     What Sophos suggested is,

      create a dummy zone (named as "WAN_Physical" and type is "DMZ", no firewall rules associated with this interface),

      assign this zone to physical wan interface and set an private static ip for physical interface, 

      add vlan interface as the kb mentioned, (portC.10 in my case, detail kb is https://community.sophos.com/kb/en-us/123127) ,put the vlan interface to WAN zone.

(2) create firewall rules to allow/deny traffic as you want. 
      Only default LAN-to-WAN rule applied in my sample.

(3) For the traffic initiated by LAN users, it will go through this default rule.

     if you want to set up some WAN-to-LAN traffic, for example, to allow internet user to access a FTP server in your LAN, you have to create another separate rule to achieve this. I used a DNAT rule example here. KB url is https://community.sophos.com/kb/en-us/122976.

Hoping this can answer your questions :)

Hi Peng

I have already solved this but thanks for the input anyway.

For 1.) I just assigned the physical WAN interface as DHCP, then added the VLAN as you suggested. Did not need any dummy zone just normal LAN -> WAN firewall rule and VPN rules.

All I needed to do then is to bind my VPN's to the VLAN port (not physical port) and every thing worked.

Thanks

Mark