Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't assign VLAN on a bridge interface

Hi everyone,

 

I have a new XG 330 situated in a main rack and then 4 switches in 4 different small racks, there is also some VLAN on the network.

 

I bridged 4 interfaces on the firewall for the LAN but then I can't setup any VLAN interface on the created bridge.

If I don't bridge the interface, I can setup all my VLAN on one interface, but then how do I connect the 3 others switches to the firewall ?

 

I also want to avoid having to chain every switch on another one that then connect to the firewall as it will create a single point of failure.

Can someone point me how I can achieve this simple setup in the XG ?



This thread was automatically locked due to age.
Parents
  • Hi  

    I would recommend to refer the article - https://community.sophos.com/kb/en-us/123508

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Thanks for your reply, I added the VLAN to the bridge interface but I still don't get an IP in the corresponding VLAN.

    Instead, I receive an address from the DHCP of the Bridge interface.

    Just for info, I bridged interfaces 1 to 4 together, the VLANs are defined on the interface 5 (but there is nothing physically connected to it) but I am not sure if that's the right way to do it.

    Can you tell me what I should do to have the DHCP offer address on my differents VLANs, or is something missing in my configuration ?

    If I connect the firewall with a link between interface 5 and a switch, the DHCP is giving address so everything is ok the switch side.

  • First of all - Why do you want to bridge interfaces? 

    I am not quite the fan of any kind of bridge at all.

     

    XG can actually see all VLAN traffic on a bridge, but you cannot "route" traffic between different VLANs on a Bridge Interface.

    For this, you will need to tag the interfaces on XG (hence you need to create a VLAN on a bridge to have a gateway on the bridge).

     

    So actually you can: 

    See / Inspect traffic of VLAN X and VLAN Y going through XG. 

    https://community.sophos.com/kb/en-us/123098

    The Sophos Firewall as a Layer 2 Bridge, allows features like deep-packet inspection, the Intrusion Prevention System, Malware Scanning, and Email Content Scanning without changing any configuration or IP Schema of the network. When you want to add security without changing any configurations, Sophos Firewall can be deployed in Bridge Mode. 

     

    But you cannot play a inter VLAN Router. 

    This feature will be included in a future major Release (would expect V18). 

     

    The KBA https://community.sophos.com/kb/en-us/123508 is only for the XG GUI (Webadmin) on a Bridge, if you want to access the XG "itself" from a certain VLAN. But you can only tag one Interface with this command. 

     

     

    To get back to the initial question:

    Why do you need a Bridge? A Layer 2 Bridge? 

    __________________________________________________________________________________________________________________

  • So i removed the bridge as it will not work with my configuration of VLANs.

    But now, all my VLAN interfaces are defined on eth1 which is connected to the switch 1 then the others switches connect to switch 1 in chain like this : 

    But the problem that I have is : If switch 1 goes down then the whole network is down, that's why I attempted to bridge the 4 interfaces to avoid that case of figure has each switch will then be directly connected to the Sophos (Only 25% of the network would be down)

    Is there a way to avoid a single point of failure on the switch side ? (I don't need to have all switches directly connected to the Sophos, 2 of them will be enough as it will allow one switch to go down without impacting the rest of the network)

     

Reply
  • So i removed the bridge as it will not work with my configuration of VLANs.

    But now, all my VLAN interfaces are defined on eth1 which is connected to the switch 1 then the others switches connect to switch 1 in chain like this : 

    But the problem that I have is : If switch 1 goes down then the whole network is down, that's why I attempted to bridge the 4 interfaces to avoid that case of figure has each switch will then be directly connected to the Sophos (Only 25% of the network would be down)

    Is there a way to avoid a single point of failure on the switch side ? (I don't need to have all switches directly connected to the Sophos, 2 of them will be enough as it will allow one switch to go down without impacting the rest of the network)

     

Children
  • What exactly do a Switch in your Scenario? 

    For such designs, you should take a look at your Switch Vendor.

    There are couple technologies to actually cover such scenarios.

    Cisco: https://community.cisco.com/t5/switching/best-practice-for-high-availability-design-hsrp/td-p/1820778

    __________________________________________________________________________________________________________________

  • Hello,

    We finally decided to go with only one interface instead of 4. (Switches are Unifi US-48)

    We gonna wait the release of the V18 to add the redondancy.

    Thanks for your help.

  • Just to be sure: I would say your Bridge design is bad design.

    This should not be used in any scenario. 

    You should start to build up a HA not by enabling a bridge on Router site. 

    __________________________________________________________________________________________________________________

  • I think you are missing the point of what the OP is trying to do.

     

    There is nothing wrong with a bridge interface having different VLAN's on it. SG has done it for years. XG can't because, well XG can't do alot of things. To say it shouldn't be used is absolutely incorrect. There are plenty of use cases for it. 

    Other firewall vendors allow you to group ports into a virtual switch. Sophos doesn't. A bridge is the only option we have and having multiple VLAN's on an interface is very logical. Maybe in 2020 when V18 comes out we will finally have features that a $100 UBNT router has.

  • Just leave the VLAN aspect for a bit.

    If you have, lets say 3 switches.

    Are you going to bridge 3 ports on your SG/XG and plugin all three switches to have one Setup?

    I would say - no you wont do that. You would start to get a High availability in the switch landscape (make sure, if one switch fails, other switches will take over). 

    Currently, if one switch fails in such scenario, the whole Subnet behind this switch is dead. No matter what you are doing on the XG/SG. 

     

    I am still not sure, what use case would there be to actually using a Bridge with VLANs.

    Maybe RED50 and bridging the Remote location to the main location and splitting VLAN, but even in such setups, why would you do that? 

     

    Most customers use LACP and connect the switch "world" to the XG and use VLAN on this LAG. 

    But to actually "simply" bridge those switches together sounds odd. 

     

    __________________________________________________________________________________________________________________

  • You are incorrect. I have an XG at home with all 4 LAN ports in a bridge because I needed them to act like a switch. I have 4 devices plugged into them. If one device fails, the entire subnet DOES NOT go down. I don't know where you are getting that from.

    Since the XG can't group it's interfaces into a switch port, a bridge is the only option.

    If the OP's switches are not in a virtual chassis, he can't use LACP for redundancy now can he? Not every switch in the world support LACP either. If he daisy chained them, if the first switch fails, everything goes down. Go do you suppose he gets around that?

    I have plenty of setups using Sonicwalls portshield and connect a switch to each port for smaller sites. Works like a charm.

    Just because Sophos can't do something, don't act like it is a bad design. 

  • Oh sorry.

     

    I talked about a "bigger picture".

    Because if we actually talk about multiple switches and VLAN, you are most likely talking about a bigger network. 

    And therefore, like OP should do, there are other approaches to such a setup.

     

    You are right about the Bridge in smaller setups, if you are not using a switch in between your network. 

    __________________________________________________________________________________________________________________