Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 2112 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add multiple VLAN Subinterfaces to a bridge

Robin Lowe

Hi there,

I'm currently in the process of migrating over 100 Sonicwalls to XG Firewalls. Grueling process but I've run into a snag here.

One of our clients has multiple Unifi Access points connected to their Sonicwall. Should be using a switch for this but they're a small company so this is what I have to deal with. These access points use multiple VLANs for the various SSIDs that they are serving. My question is how I can configure my XG Firewall running v18-MR1 to be similar to their Sonicwall in this regard.

The Sonicwall has one interface configured with multiple VLAN Sub-interfaces configured with IPs for routing. That single interface is then added to a switchport group with 2 other physical interfaces.

My initial step was to add the three physical interfaces on the XG Firewall to a bridge interface and configure the VLANs and IPs off of the bridge. This did not work as intended. The access points were unable to serve traffic to the Internet or even pass DHCP on to connected wireless clients. I've also been googling around and the only post I can find referencing this issue was from 3 years ago with the answer "This is coming in V18." I have been unable to find any recent documentation regarding adding multiple sub-interfaces to a bridge and having it work properly.

Has anyone here done this successfully and can help me figure this out? Thanks in advance!

Cheers.



This thread was automatically locked due to age.
Parents
  • 0

    As far as i can see, this should work as you configured it. 

    You need to put the Interfaces into a Bridge. Put the VLAN on this Bridge and it should be working, if the switch is configured correctly? 

    So the Interfaces (VLAN) of the Bridge are in a Zone, do you have a Firewall rule do allow traffic coming from this VLAN to the WAN? 

Reply
  • 0

    As far as i can see, this should work as you configured it. 

    You need to put the Interfaces into a Bridge. Put the VLAN on this Bridge and it should be working, if the switch is configured correctly? 

    So the Interfaces (VLAN) of the Bridge are in a Zone, do you have a Firewall rule do allow traffic coming from this VLAN to the WAN? 

Children
  • 0 in reply to LuCar Toni

    Yeah it's weird I did exactly that, and I'm pretty sure I did have the rules allowing the VLANs to WAN. Wireless clients were able to reach the Internet once I removed the bridge. My memory is not that reliable so I can't remember if I did anything else... Unfortunately I'm unable to test the firewall I have at that customer, no one's in the office and testing in prod is frowned upon. 

    I should be able to test it again in a couple of days, I'll configure our "testing" firewall and see what happens. Maybe I did forget the rule.

  • 0 in reply to LuCar Toni

    So I've finally been able to test this further and I can verify this is not working.

    I have 5 interfaces in a bridge. Each interface is configured in the bridge to be in the LAN zone. I have then added a VLAN to the bridge in the Wireless_Guest zone. I have 3 Unifi Access Points connected to these ports that serve networks over vlan 1 (Corp Wifi) and vlan 10 (Guest Wifi). When a client is connected to the corp wifi, traffic passes just fine. When a client is connected to the guest wifi, they are able to ping Internet hosts, but are unable to browse to any website.

    When I look at the log viewer I can see numerous "Could not associate packet to any connection." messages coming in from the numerous ports. Never br0. Corp Wifi (vlan 1) traffic also shows as coming from the separate ports, never br0. I see the odd br0.10 packet but the rest are "Could not associate" coming in from physical ports.