Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG & Bridge & VLAN

Hi everyone…

I need help to configure Sophos XG Firewall and help with understanding how bridge and VLAN's work on XG(If they work) and how to TAG/UNTAG VLAN's…

There is requirement for 3 separated zones each with own VLAN, own DHCP Server and own FW/AV/IPS/Threat rules …

On one port is connected switch with VLAN support and need TAGGED VLAN's from XG. If I on ETH1 create VLAN's and set DHCP Server to use that VLAN's on switch ports DHCP work normally(Depend on which VLAN is configured on port).

Direct on XG are also some computers/devices because XG have enough ETH ports and SWITCH is on other location so they can't be connected to switch…

How I can add ETH7 to same PRIVATE zone(DHCP, rules) and port VLAN tag must be removed because connected device do not support VLAN tagging?

I’m try create BRIDGE with all ETH ports and on that BRIDGE create VLAN's but switch is work ok but direct ports didn't work…

Zones:

LAN zone is »blackhole« zone without DHCP Server and access to anything.

BRIDGE with VLAN's:

That configuration work ok with switch which support VLAN tagging but not with pc/device connected to direct XG ports (4,5,6,7) … Devices do not receive anything from DHCP Server…

What I’m do wrong or how I can get what I want?

Maybe this diagram will clear picture what I need:

 

 Thanks for any help and hint.

 

 

 



This thread was automatically locked due to age.
Parents
  • So actually VLAN ID 1 or "Untagged" in such matter is the physical port. You can bridge all ports to one bridge interface. You can place VLAN(s) on top of this physical interface or on top of the bridge. 

    You cannot bridge a particular VLAN to another VLAN or to another Physical Interface. You cannot place a VLAN on a single member interface of a bridge - It will be always on the entire bridge. 

    Your Setup is not possible (likely a odd setup anyway? - Why are system directly attached and then there is a VLAN Switch? Shouldnt be the clients connected to the switch?

Reply
  • So actually VLAN ID 1 or "Untagged" in such matter is the physical port. You can bridge all ports to one bridge interface. You can place VLAN(s) on top of this physical interface or on top of the bridge. 

    You cannot bridge a particular VLAN to another VLAN or to another Physical Interface. You cannot place a VLAN on a single member interface of a bridge - It will be always on the entire bridge. 

    Your Setup is not possible (likely a odd setup anyway? - Why are system directly attached and then there is a VLAN Switch? Shouldnt be the clients connected to the switch?

Children
  • Thanks for reply.

    Setup like this customer already have but using other vendor of router and this work without issues but they want upgrade to next gen  firewall and Im try to push Sophos to them... But if this is not possible they will probably look for other product... If this is not possible Im not sure why XG have so many eth ports if you are limited to combine them... Is maybe possible to do this by advanced shell?

    Switch with VLAN trunk is on other location far away. If I will try to offer them another switch near XG they will probably refuse offer and look for other firewall whcih is not limited...

  • As mentioned earlier: This is a very bad design to do this. XG is not a Switch in the first place (to add Tags).