XG, and VLANs on Bridges - feedback needed

The request keeps coming up, that we need to support adding VLAN tagged interfaces on top of bridge and lag interfaces. This is on the backlog, but I want to make sure that it's understood what XG can already do, and what gaps still exist, so that it can be properly prioritized.

A common UTM9 example of bridges and VLANs, would be to put a bridged firewall inline between a core switch and the perimeter router, and the traffic passing over that link is all or mostly VLAN tagged. In UTM9, you must create a VLAN interface on top of the bridge for every VLAN you want to control. So if you have five VLANs, you need five VLAN  interfaces on the bridge. Then, when you intercept and proxy web traffic, the firewall makes its outgoing request over one of it's gateway interfaces, not necessarily the gateway that the filtered client was expecting it to use. 

Now in XG, create a bridge, and deploy it in the same way as the above example - but don't create VLAN tagged interfaces per VLAN . XG will still intercept and proxy all VLAN tagged traffic, just as you'd expect in the UTM case, but without needing to create a tagged VLAN interface. In addition, it will re-tag the traffic leaving the proxy, and send it out the same gateway that the client expected to use, and will appear to come from the originating client. It's like the full-transparent mode on UTM9, but better, as it honors the original routing expected by the client. This means that it's also safer to deploy in multi-tenant environments, as it won't allow one tenant to make requests into another tenant's network. While you can block that behavior on utm9, it takes extra effort and consideration.

With all of that said, I'd like to know what scenarios still critically require VLAN interfaces still on a bridge. I can't think of any, other than if you are not entirely using it as a bridge, but as the network gateway for clients behind it. I understand the need for adding a tagged VLAN with an ID of 1, and that is also on the backlog, but not part of this topic. That I understand clearly what is needed and why. What I want to be clear with, is whether I'm missing a common use case regarding VLANs and bridges, or whether the current capabilities just aren't well advertised enough. What do you think?

  • Alan,

    thank you very much for sharing your doubts with us. To be honest I did not try the XG in bridge mode yet but I think I have too.

    Can you (in Sophos) create a KB and a use case for VLANs when XG is deployed in bridge mode? Maybe this will help us to understand limitation and problems. If XG is able to read the TAG inside the traffic, take decisions and re-tag the traffic, it is better than UTM. If we need to deny a particular VLAN traffic, we need to create a network and add it as target. Are we able to create a proper zone and add the tagged vlan to that zone in order to use proper zone and not ANY?

    The other point (which is not related here, but I would like to mention) is Bridge Limitation https://community.sophos.com/kb/en-US/123276
     and maybe some of us are not implementing XG in bridge mode because of those limitations.

    I really appreciated your thread to ask something to us before deploying or making other change. Thumbs up!

    Thank you again!

  • Hi Alan,

    One scenario that I have run into the need for VLAN interface on a bridge is when you need more than one physical interface at the Sophos to connect to more than one network closet.  For instance if you have closet A, B, & C - A containing the ISP Demarc and the Sophos only which has two data drops spanning to two other closets B & C where there is switches that need to connect back to the Sophos which is handling the routing for the VLANs.  Understandably this is not an ideal scenario however it is not always our position to be able to alter a customers network for best practice scenario where we would not need multiple physical ports on the firewall that are acting basically as "trunk" ports.

    Thank you,

  • I also feel that if Sophos can eventually achieve the ability to configure VLAN interfaces on a bridge then it could hopefully get us another step closer to the ability where the Sophos wireless access points can have each SSID bridged to a specific VLAN along with an SSID that bridges to the AP LAN.  This is a common obstacle I run into when removing APs such as Ubiquiti's or Aruba's to install Sophos AP's and I have to create "Separate Zone" networks as compared to the previous APs that were just able to bridge their SSID's to existing VLANs.

    Thanks again,

  • Hi Alan,

    some of our customers use the small SGs as a sort of pimped RED device for small offices when they need more features than RED can provide. This can be a special routing configuration or support for VLANs for hardware VoIP phones. Especially the XG85 has a very competitive price for this scenario.

    For this we configure a bridge containing several ports as the LAN Interface (similar to a normal DSL router for private use). But we would need VLANs on this bridge interface to support LAN network and VoIP network on all ports.



  • Thanks all - to be clear, I think we should add the capability, but I wanted to make sure there were no really common use cases where this was needed. It's on the feature backlog, and your responses will help me prioritize it correctly.

  • In reply to AlanT:

    Hi Alan,

    Just wondering how this feature request is progressing?

    I have just received a new 450 and would like to assign multiple VLAN's to a Bridge for a similar scenario to what Simon has pointed out. We can complete this task quite effortlessly on MikroTik OS. Is it possible to do on CLI?


    For this we configure a bridge containing several ports as the LAN Interface (similar to a normal DSL router for private use). But we would need VLANs on this bridge interface to support LAN network and VoIP network on all ports.

  • In reply to AlanT:

    Sorry to jump in this late, but I have a case use to bridge VLANs.

    We have several customers with an office in our facility. We provide them Internet access. They all have a VLAN each.

    So their drops are on a switch with the port being in access mode with the customer's VLAN. After that, everything is a trunk and when their traffic arrives at the Internet gateway, it's tagged with the customer's VLAN.

    I would like to put an XG firewall in bridge mode between my Internet gateway and my network, but I can't, as I need to bridge a trunk and multiple VLANs on that trunk.

    In other words, I should be able to create a VLAN interface on any physical interface I have, and be able to create a bridge interface between two VLAN interfaces.



  • In reply to Michel Py:

    I looked at getting this feature into v17, but it didn't make the cut. I'm planning to add this in the next feature release after that.

  • In reply to AlanT:




    V17 is alreday released  .But it is still impossible to create VLANs on bridge interface .

  • In reply to kams976:

    Correct. as noted above, it was NOT included in the v17 plan, and is currently targeted for v18.