XG, and VLANs on Bridges - feedback needed

The request keeps coming up, that we need to support adding VLAN tagged interfaces on top of bridge and lag interfaces. This is on the backlog, but I want to make sure that it's understood what XG can already do, and what gaps still exist, so that it can be properly prioritized.

A common UTM9 example of bridges and VLANs, would be to put a bridged firewall inline between a core switch and the perimeter router, and the traffic passing over that link is all or mostly VLAN tagged. In UTM9, you must create a VLAN interface on top of the bridge for every VLAN you want to control. So if you have five VLANs, you need five VLAN  interfaces on the bridge. Then, when you intercept and proxy web traffic, the firewall makes its outgoing request over one of it's gateway interfaces, not necessarily the gateway that the filtered client was expecting it to use. 

Now in XG, create a bridge, and deploy it in the same way as the above example - but don't create VLAN tagged interfaces per VLAN . XG will still intercept and proxy all VLAN tagged traffic, just as you'd expect in the UTM case, but without needing to create a tagged VLAN interface. In addition, it will re-tag the traffic leaving the proxy, and send it out the same gateway that the client expected to use, and will appear to come from the originating client. It's like the full-transparent mode on UTM9, but better, as it honors the original routing expected by the client. This means that it's also safer to deploy in multi-tenant environments, as it won't allow one tenant to make requests into another tenant's network. While you can block that behavior on utm9, it takes extra effort and consideration.

With all of that said, I'd like to know what scenarios still critically require VLAN interfaces still on a bridge. I can't think of any, other than if you are not entirely using it as a bridge, but as the network gateway for clients behind it. I understand the need for adding a tagged VLAN with an ID of 1, and that is also on the backlog, but not part of this topic. That I understand clearly what is needed and why. What I want to be clear with, is whether I'm missing a common use case regarding VLANs and bridges, or whether the current capabilities just aren't well advertised enough. What do you think?

  • Alan,

    thank you very much for sharing your doubts with us. To be honest I did not try the XG in bridge mode yet but I think I have too.

    Can you (in Sophos) create a KB and a use case for VLANs when XG is deployed in bridge mode? Maybe this will help us to understand limitation and problems. If XG is able to read the TAG inside the traffic, take decisions and re-tag the traffic, it is better than UTM. If we need to deny a particular VLAN traffic, we need to create a network and add it as target. Are we able to create a proper zone and add the tagged vlan to that zone in order to use proper zone and not ANY?

    The other point (which is not related here, but I would like to mention) is Bridge Limitation https://community.sophos.com/kb/en-US/123276
     and maybe some of us are not implementing XG in bridge mode because of those limitations.

    I really appreciated your thread to ask something to us before deploying or making other change. Thumbs up!

    Thank you again!

  • Hi Alan,

    One scenario that I have run into the need for VLAN interface on a bridge is when you need more than one physical interface at the Sophos to connect to more than one network closet.  For instance if you have closet A, B, & C - A containing the ISP Demarc and the Sophos only which has two data drops spanning to two other closets B & C where there is switches that need to connect back to the Sophos which is handling the routing for the VLANs.  Understandably this is not an ideal scenario however it is not always our position to be able to alter a customers network for best practice scenario where we would not need multiple physical ports on the firewall that are acting basically as "trunk" ports.

    Thank you,

  • I also feel that if Sophos can eventually achieve the ability to configure VLAN interfaces on a bridge then it could hopefully get us another step closer to the ability where the Sophos wireless access points can have each SSID bridged to a specific VLAN along with an SSID that bridges to the AP LAN.  This is a common obstacle I run into when removing APs such as Ubiquiti's or Aruba's to install Sophos AP's and I have to create "Separate Zone" networks as compared to the previous APs that were just able to bridge their SSID's to existing VLANs.

    Thanks again,

  • Hi Alan,

    some of our customers use the small SGs as a sort of pimped RED device for small offices when they need more features than RED can provide. This can be a special routing configuration or support for VLANs for hardware VoIP phones. Especially the XG85 has a very competitive price for this scenario.

    For this we configure a bridge containing several ports as the LAN Interface (similar to a normal DSL router for private use). But we would need VLANs on this bridge interface to support LAN network and VoIP network on all ports.



  • Thanks all - to be clear, I think we should add the capability, but I wanted to make sure there were no really common use cases where this was needed. It's on the feature backlog, and your responses will help me prioritize it correctly.

  • In reply to AlanT:

    Hi Alan,

    Just wondering how this feature request is progressing?

    I have just received a new 450 and would like to assign multiple VLAN's to a Bridge for a similar scenario to what Simon has pointed out. We can complete this task quite effortlessly on MikroTik OS. Is it possible to do on CLI?


    For this we configure a bridge containing several ports as the LAN Interface (similar to a normal DSL router for private use). But we would need VLANs on this bridge interface to support LAN network and VoIP network on all ports.

  • In reply to AlanT:

    Sorry to jump in this late, but I have a case use to bridge VLANs.

    We have several customers with an office in our facility. We provide them Internet access. They all have a VLAN each.

    So their drops are on a switch with the port being in access mode with the customer's VLAN. After that, everything is a trunk and when their traffic arrives at the Internet gateway, it's tagged with the customer's VLAN.

    I would like to put an XG firewall in bridge mode between my Internet gateway and my network, but I can't, as I need to bridge a trunk and multiple VLANs on that trunk.

    In other words, I should be able to create a VLAN interface on any physical interface I have, and be able to create a bridge interface between two VLAN interfaces.



  • In reply to Michel Py:

    I looked at getting this feature into v17, but it didn't make the cut. I'm planning to add this in the next feature release after that.

  • In reply to AlanT:




    V17 is alreday released  .But it is still impossible to create VLANs on bridge interface .

  • In reply to kams976:

    Correct. as noted above, it was NOT included in the v17 plan, and is currently targeted for v18. 

  • I have a scenario that im pretty sure warrants the use of a VLAN on a Bridged interface.

    I have an XG105 so 4 ports. 2 ports are WAN in load balance and 2 ports are LAN bridged together.

    The 2 Lan ports go to 2 24 Port Netgear Switches. These switches contain a mixture of phones, pcs, cctv cameras and 3 Unifi AP's. Currently we use no VLANs everything is just mixed together.

    The issue arises with the Unifi Access Points. We are unable to offer guest wifi because if we allow guests to join to our "normal" wifi they cant browse anything because we have HTTPS decryption and scanning turned on and obviously guest devices dont have the certificate installed let alone access to all our devices. The unifi APs have the ability to have multiple SSID's each sitting on a seperate VLAN.

    My thought was if i created a guest SSID and gave it a VLAN of say 10, set up a different DHCP lease pool and then added that address range to the Exceptions Tab under source IP. This would allow guest devices to connect to the Unfi AP, get an IP and browse the internet.

    The issue arises that because i have two Lan ports in bridge mode, the XG doesnt allow me to add a VLAN interface. Because i have only 2 Lan ports, its not possible for me to use another port only for VLAN traffic. 

    All i want is for any traffic say with the VLAN ID of 10/ IP XXXX to simply be granted full, unfiltered access but this does not seem to be possible. 

    I would have thought this would be a really common scenario for anyone not using Sophos AP's. At this point im getting hammered for not being able to offer guest wifi so it would seem my only choice is to ditch the Unifi AP's which have incredible performance and swap them for Sophos AP's which annoys me because there is an ongoing subscription just to offer wifi..

    Perhaps there is another way to achieve what im trying to do, but everything ive read seems to suggest i need to add a VLAN interface to "read and route" vlan traffic but im hamstrung in doing so.

  • In reply to Shane Cook:

    We will add VLAN support on a bridge in v18, but that won't be till next year. In the mean-time (and possibly long term) there may be better options in your particular scenario.

    Your two switches are both plugged directly into a bridge on the firewall, which is OK for redundancy, but not ideal. So long as your switches have STP enabled to prevent packet switching loops, then it will work, but for a properly redundant solution, you would generally use a LAG pair across your switches, which is meant to manage redundancy, and XG supports adding a VLANs on top of LAG groups already, today. 

    Alternately, if you only connected a single port to a single switch, and your switches are cabled together directly, then you could support guest VLANs today. In the event of a switch failure, it would require a manual failover, to allow devices connected to the remaining switch to continue working.

  • In reply to AlanT:


    We will add VLAN support on a bridge in v18, but that won't be till next year.

    Alan, seriously? v18 is expected next year? Make sure you include all the main feature XG is missing at the moment and improve live connections because at the moment XG is missing this feature. Do not tell me the Live Connection TAB: it just useless!


  • In reply to AlanT:

    Hi Alan,

    Thanks for your feedback. I am pleased to hear bridge VLAN support is coming although a little disappointed to hear it will be so far away. Nonetheless I appreciate your suggestions re LAG, its importance for anyone visiting this thread in a similar scenario to me to see there are a couple of options

    I checked with the Netgear  and apparently my switches support 802.3ad but "The JGS516PE does have LAG support but only the static one. It does not support LACP as of the moment" whatever that means.. I have no experience in this area.

    Secondly in regards to connecting one switch to the XG and the other switch to the first switch. This makes me nervous as we have quite a lot of heavy file transfers, about 15 IP phones and 15 cctv cameras connected I'd be worried about traffic flow and routing through one single cable.

    Would it be possible to remove the bridge but still allow both LAN ports to see/talk/flow to each other in some other way? I can potentially free up a port because I have an old tplink load balance router I could use to convert the 2 current WAN ports into a single WAN into the XG but having a spare port still gets me nowhere.

    Again really appreciate your feedback. Cruising the community it would appear there are quite a few people in very similar or even identical situations as me trying to figure out just how to configure a guest wifi network on Unifi APs when our only real path is VLAN but we just hit this roadblock.