LAN - VLAN routing

Hello Mario,

you are mixing / confusing Layer 2 and Layer 3 here.

While "Port 1" and "VLAN 40" sit on the same physical Interface, these are complete different Networks, which don't "see each other" in terms of IP-addresses.

The same with "Port 6", the network on Port 1 does not "see" the traffic on "Port 1" or "Port1.40" simply by putting them into the same Firewall-Zone.

You either have to build a bridge (connection on Layer 2), or you have to route between the IP-nets on top of those interfaces (connection on Layer 3).

Like now, the VLAN-Port 1.40 will never get a DHCP address from the server running on Port 6, nor will it get one, if you run that on Port 1.

Please tell us, what you want to achieve, so that we can help you to find a solution for your use case.

PhilippRusch said:

You either have to build a bridge (connection on Layer 2), or you have to route between the IP-nets on top of those interfaces (connection on Layer 3).

Isn't the routing what I've done with the 2 firewall rules?

Routing is Routing.

Firewall rules is packet filter.

These are two different things, you first have to have functional network, either routed or bridged, so that packets can flow from A to B.

Then you allow or deny certain IP-connections or ports with firewall rules.

BTW: I prefer routing over bridging.

Bridging is simple but has serious disadvantages when trying to build a clean, segmented network architecture.

Which I think indicates that the VLAN should not have the same network as the network hanging off of Port 6. Which would indicate two different DHCP servers. I currently have three SSIDs on my AP, for example, and two of them are VLANs (less trusted networks) and one of them is bridged onto the main LAN that the AP is on (more trusted network). The LAN and the two VLANs each have their own DHCP server to serve their distinct networks.

I'm a bit lost here!
I can reach the network 192.168.12.0/24 on port 6 from the network 192.168.0.0/24 on port 1 just with a firewall rule...how is this possible?
Isn't this the same thing?

Ciao Mario,

no, let us clarify: If you have a network interface, either physical ("Port X") or virtual ("VLAN Y"), you CAN assign a static IP to it.

You did this with "Port 1" and "Port 6". So now you firewall knows about two networks, which are directly connected to it.

Normal mode of a linux kernel is IP-routing between all directly attached interfaces.

NOW comes your packet filter into play, this is what you configure with "firewall rules" and "zones" and so on.

If you have a so called "DENY all" philosophy with your firewall rules (this is the case with XG/XGS default settings), then you have to define which traffic is allowed from one network to the other. If you put two different interface into the same "Zone" definition, you implicitely allow traffic between them.

Why don't you reach your VLAN on "Port1.40" ? Because this his no IP-Address! And hence no network it belongs to, that's all.

Ok, now I got it, thanks Philipp.
I've tried to do a bridge between port..40 and port6, but the birdge doesn't support VLAN.

What I want to achieve is this:

Port6 is the network of our phone exchange and phones (the softphones reach the pghone exchange witha  firewall rule), now we are virtualizing it, but the host is connected only to port1.
That's why I thought to create a VLAN on port1.

What should I do? I really prefer to avoid another network.

Thanks for the support.

Hello Mario,

just put a VLAN capable and managed switch on Port 6, build VLANs for the different networks and consolidate Port1 and VLAN 1.40 on Port 6. Lets call it Port 6.40 and Port6.0.

So are you saying that what I need can't be done just with the XG?

So are you saying that what I need can't be done just with the XG?

No, I did not say that. That's what I would recommend based on your infos so far.

When it comes to VLANs:

AFAIK, the Ports of an XG system are configured like a trunk-port, you have one untagged default VLAN (=VLAN ID 1) and all the other VLAN you define for this same port are tagged VLANs.

So you could solve your "dilemma" without a switch and solely using XG-Ports, but you will need to change the configuration of your virtualization host o Port 1, then.