I have the following problem. Our ISP gives us vlan 333. The WAN port is Port10. Found on the web that people first enable the port using dhcp, then add a VLAN interface on that port, so I did that. The web UI showed something like
Port10.333: 18.104.22.168 gw 22.214.171.124
But it bothered me knowing that there are probably dhcp requests sent out by Port10. So I changed Port10 to a fake IP, 126.96.36.199 with gw 188.8.131.52:
Port10: 184.108.40.206 gw 220.127.116.11
Now I see about ten unanswered ARP requests every 15 seconds or so 18.104.22.168 who-has 22.214.171.124. This is also not ideal. I'd like Port10 to be up without an IP, to have VLAN 333 on it, with our touch down IP that we got from the ISP 126.96.36.199.
I tried to fix this by setting Port10 to None instead of WAN, and guess what, after
ip addr flush dev Port10
I indeed got what I wanted:
XG450_WP02_SFOS 17.0.6 MR-6# ip addr | grep Port10
6: Port10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq group 0x02 nfmark 0x8001 nfmark6 0 nettype 0x02 np 0x04 np6 0 state UP group default qlen 1000
22: Port10.333@Port10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue group 0x02 nfmark 0 nfmark6 0 nettype 0x02 np 0 np6 0 state UP group default
inet 188.8.131.52/30 brd 184.108.40.206 scope global Port10.333
The fly in the soup is, the web UI still shows an IP assigned to Port10. And, if the devices reboots Port10 comes up with the static IP that I set previously.
Question: what to do to have Port10 with no IP and a VLAN id interface on it, with the IP from the ISP?
I could live with a way to perhaps "ip addr del IP dev Port10" but I don't know where to stick this in the startup files of the XG. I can't recognize the underlying system in /etc
Any help would be appreciated,
you can put a static IP address in the port 10.
The requirement for the physical port to be active is a function of the way the XG handles VLANs. On a UTM VLANs are done at L2 while on a XG they are done a L3.
The config result is like below,
What Sophos suggested is,
create a dummy zone (named as "WAN_Physical" and type is "DMZ", no firewall rules associated with this interface),
assign this zone to physical wan interface and set an private static ip for physical interface,
add vlan interface as the kb mentioned, (portC.10 in my case, detail kb is https://community.sophos.com/kb/en-us/123127) ,put the vlan interface to WAN zone.
Probably you can try this way and see how's going.