One VLAN on two physical interfaces

Question

Hi, 
 So I have two physical interfaces and want to have the native VLAN and VLAN 10 on both of them. The first interface is connected to an wireless AP and the second is connected to a switch. The goal here is that wireless devices on VLAN 10 should be able to talk to wired devices connected to the switch on VLAN 10. VLAN 10 is for IOT-devices. 
 To achieve this I created a bridge with the two physical interfaces as members. I then added VLAN 10 to that bridge. I also set up two DHCP-servers, one for each VLAN. 
 Devices connected to either the VLAN 10 SSID or a VLAN 10 port in the switch are assigned the correct IP-addresses. I've setup a firewall rule that allows any host in IOT-zone to access the WAN-zone. 
 The problem is that devices on VLAN 10 cant access the internet. Looking in the log, some packets are going thru but some are labelled " Could not associate packet to any connection. " and are denied. Different packages with same source and destination IP are sometimes allowed and sometimes denied. The ones that are allowed have "in interface: bridge.10." The ones that are denied have "in interface: port2.". 
 Devices not on VLAN 10 work just fine. 
 I'm on version SFVH (SFOS 18.0.5 MR-5-Build586). 
 
 Big thanks for any advice.

LHerzog · Answer

XG has some difficulties with bridge traffic. What I can read here reminds me of a problem we currently have for months. 
 The traffic is sent to the Bridge Interface instead of the VLAN interface which breakes your network communication. 
 If you have support, ask them about NC-74120. Contact me, if you need my support case #. 
 Here is a reply I received yesterday. The technical explanation is in the last chapter. Currently I only have this confirmation, no solutions. XG is dropping the packets because of IP Spoof on our side. 
 
 xxx.xxx.40.5 and xxx.xxx.40.61 are in the same broadcast domain and reachable via the same bridge. Here, what happened is that when xxx.xxx.40.5 (client-1) seen that it needs to send traffic to xxx.xxx.40.61 (client-2), it will use the mac address of that IP and not use mac of gateway (XG). It will have a packet like following Source IP : xxx.xxx.40.5 (Client-1) -> behind Port 8 Source mac : Client-1 mac address Destination IP : xxx.xxx.40.61 (Client-2) -> behind VLAN.1000 interface Destination mac : Client-2 mac address So, when a packet with the above detail submitted to XG, as its destination mac is not XG, XG will not submit this packet to Layer - 3 (so it will not submit this packet to VLAN as it is L3 interface) and it will bridge the traffic. Now the issue occurs as it is bridge traffic, its incoming interface will be Port8 and not be VLAN.1000. This packet will traverse the Netfilter stack with in-interface as Port8 and it will drop the traffic in spoofing because spoofing will find that the xxx.xxx.40.0 network is not part of Port8. Currently, this is the behavior.

FormerMember · Answer

Hi Delanius55, Thanks for reaching out to Sophos Community 
 This is a bit tricky but I'll try to explain it as simply as I can. Referring to the packet capture you've attached, The packets which are showing denied (in red) are actually IN packets to the Interface Port2 which is just showing because the firewall is receiving the packet on that physical interface. 
 An actual packet that is going to the WAN is showing IN from port 'Bridge.10' which the packet tagged by the downstream device with VLAN 10 and It's the actual packet that is going out to WAN from that Virtual Bridged VLAN interface to the WAN. -> It shows invalid because, for network 192.168.1.0/24, the Firewall is expecting tagged packets by ID 10. The ones which are showing as "Invalid" in log viewer, are the IN packet entries for the Physical Interface Port2 and not the Virtual Bridged VLAN10 interface. Hence "Couldn't associate packet to any connection". 
 Nothing to get confused about this just the way the firewall logs these packets. For example here, I have a bridge of Port2,3,4 (Name: Port2_3_4) and a VLAN 10 on that Bridge. Now I ping from IP 10.10.10.10 to 1.1.1.1 and here's the packet capture on CLI -> Coming back to your issue, It seems that the packet that goes out to WAN, Shows a NAT rule that matches with ID 2 but are not NATed with your WAN port's IP address. Can you just check the NAT rule and see if the SNAT is selected as MASQ or just kept original. If it's selected as Original, Change it to MASQ. 
 
 If this doesn't work then we can try something else depending upon your configuration 
 Hope this help :)

One VLAN on two physical interfaces

Top Replies