This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rules Don't Apply to VLAN Interface

I have a guest WiFi network running on VLAN40. I'm trying to create firewall rules for this network but when I select the VLAN interface (#Port8.40) in Source networks and devices, it has no effect at all. I can define the network subnet here instead and that works but I want to apply rules to the VLAN interface regardless of IP/subnet. The rule is positioned at the top. I would expect to be able to target all traffic on VLAN interface #Port8.40 with this. What am I missing?



This thread was automatically locked due to age.
  • I found a possible solution. I created a new network zone just for this VLAN interface and then apply the firewall rule to the zone instead of the interface. This seems to work just fine. Is this the recommended way to achieve what I need? Any downsides I'm not thinking of?

  • I place my VLAN(s) in a Zone that should be treated alike and use Source Zone instead. I don't think #Port8.40 is correct. (At least VLANs on my firewall don't create such a thing.

    Looks like you posted just as I did. Zones, of course, let you have multiple VLANs and other stuff in them so you can treat them as a unified thing. So you might have three guest VLANs (for some reason) that you want to treat as one source or destination for purposes of Firewall rules. (And it also makes things easier for you if you switch Port8 for Port6 for some reason. Just update the Zone membership and the Firewall rule just continues to work without modification.) I prefer Zones whenever that's an option.

    I'm also using Clientless Users for various things, but I think that's mainly because XG doesn't give you host names and so it's hard to figure who is who in some displays and it's easier to just look at Live Connections by (clientless) user. There may be downsides to that, and it takes more steps (rather than the fewer steps that Zones do) to make it all work. I do wish Sophos would do a naming-unification pass that lets me set one machine with a name and potentially other information (MAC, IP, clientless user, etc).

  • Thanks for confirming. I think this is the way to go.