Using a RED Site to Site Tunnel will cause problems, if you use a static route with gateway routes. 

Did you generate any kind of routes or is your entire routing based on the VLANs, which are extended by the bridge? 

In general, the RED protocol works the same on hardware and software. But you created a bridge, correct? 

Please learn what is layer 2. RED is pure L2 tunnel. There is no needed any routing, any IP. Only you need bridge RED interface to physical interface and allow traffic by firewall.  The result is just like you have put very long RJ45 cat cable between devices. It can be managed in switches level, without any IP or routing. You can use VLANs. VLANs also go through tunnel, only you need make VLAN interface both in tunnel and physical nic side and then bridge them, as without it sophos device accepts only untaged traffic..

I perfectly understand what you mean and it is working. I tested it recently with this setup. 

But i am once again not able to understand, what you mean by hardware/software red. 

RED is a protocol. It is based on SSLVPN, but in the end it is a TLS based tunnel, like SSLVPN. 

And you can do this perfectly fine. The only issue could be generated by the MAC using of the bridge. Because generally speaking the mac of the logical bridge can be the same on both appliances. You can check the mac addresses of br0 on a SFOS appliance and then check the same br0 interface on the other appliance and verify, they differ. If not, this will likely cause your problem, as duplicated MACs in a extended network will cause problems. 

You dont need MAC addresses in L2 bridge. You can use bridge without IP. By software I mean Sophos installers for vmware, hyper-v or physical computer. By hardware I mean physical firewall box. And L2 RED tunnel works only between hardware server box and hardware/software client. Between software server and software client I cant put L2 RED working. Have you tested this?

Yes. And it works fine. 

But a bridge has a mac address. I needs to have one. 

SFV6C8_AZ01_SFOS 19.0.0 GA-Build317# ifconfig Test
Test Link encap:Ethernet HWaddr 00:0D:3A:22:81:B5
inet6 addr: fe80::20d:3aff:fe22:81b5/64 Scope:Link

Otherwise there should not be any difference between those setups. Maybe your hypervisor causes some issues? 

I tested this scenario in the past couple of times and now people running this in public cloud setups. 

Do you have any tcpdumps and conntracks of those connections? 

You are wrong - you dont need MAC address in bridge. How you can say there is no difference if you even havent tested L2 RED. I ask once more - have you tested L2 RED? And there is no MAC addresses. Do you at all know what is layer 2, what is osi model, what is remote ethernet? I see you have no idea about those thing, because you continually talk about MAC addresses. MAC addresses are in my devices, not in bridge, behing RED, both sides in my networks. My devices made arp requests and get MAC address of interested ip.The RED devices are transparent. They only passthrough arp requests. Have you tested VLAN-s? VLANs are the most important part.

I cannot help you anymore further, if you do not provide the proof of tcpdumps and conntracks (maybe droppacketcaptures). Otherwise we cannot comment on this situation anymore. 

I ask once more - have you tested it? Do VLAN-s work?

I ask once more - have you tested it? Do VLAN-s work?

Hello Ivar,

this is a voluntary community help forum here. That said, I ask why you are so rude to LuCar Toni?

He is just asking for some info to help you out. But you try to teach him things, he really knows already. (Have a look at his forum-points 53413, this should tell you something...)

Maybe you are open to discuss your problem:

Ethernet Bridging - VLANs

Ethernet bridges enable hosts to communicate through layer 2 by connecting all of the physical and logical interfaces in the system into a single layer 2 domain. The bridge is a logical interface with a MAC address and an MTU (maximum transmission unit). The bridge MTU is the minimum MTU among all its members. By default, the bridge’s MAC address is the MAC address of the first port in the bridge-ports list.

This is how a linux kernel doas bridging.

Example:

https://tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO-4.html#ss4.4

Of course is a MAC-address assigned to your bridge, this is normally the same address as your first w port.

If using SW-type of firewall installer, this could be by chance the SAME MAC for both ends of the RED tunnel.

This could cause problems and that's what Lucar Toni wanted to verify with your help.

HTH.

MAC address is offtopic. This is not interest me. The fact is - softwared RED dont work and hardware RED works. Have you tested this? Have you put VLANs work in software RED? Me dont interest Sophos internal programming - me interest what works and what dont. I dont have time for philosophy. And me interest how to püut things to work if at all possible. Me interest do you have tested it. Me interest what is Sophos official answer for this feature.

I won't work on this, if you insist on your rude manner, sorry.

You had been given a chance to get this going.

Because hardware network license cost 50 eur /year. But software XG Home is totally free. Also software hyper-V virtual version is much faster than hardware box. I must make decision - buy license or not. Why I must al all experiment, test and search in forums? Normal company says cleraly - this function work and this function is not allowed and I dont have more questions. Why I must predict how Sophos works? And  "there is maybe some problems" is not answer. Things in enterprise class firewalls work or they dont work. Chinese cheap stuff maybe work or maybe not. Sophos is not cheap.

Why you then waste my time if you dont use Sophos RED products?

I waste your tme?!?

Don‘t be impertinent!

Yes, you just waste my time, nothing more.

But yes, Sophos XG bridge is not "pure bridge", but it makes arp relay. You cant see MAC addresses from other side of bridge, only see bridge MAC. But this dont make sense in RED aspect of view. RED is still pure L2  and passthrough VLANs. RED is also some kind of bridge. It can only work or not work, there is no half-working state. But there exists also lots of bridges without MAC addresses and without arp relays. Example Sophios UTM, Mikrotik, Pfsense, CheckPoint, Palo Alto etc. They just transfer all packets to other side, withou MAC interaction with arp relay. But Sophos XG bridge can also do more than example Palo Alto. It can route L2 packets to L3 interface (when source have no acknowledge about L3 interface at all). Ist like "by force" packets translation. Mikrotik bridge is also very powerful - it can make NAT for MAC addresses. Every products bridge is unique and different from other products. Bridges can be implemented very different ways. But this have nothing to do with RED.   

I will agree with the other's you are being a bit rude for a community forum, but I will try to give you an answer. I don't completely understand your issue, but I will try to help.

RED is a proprietary layer 2 protocol to mimic a point to point layer 2 connection. It is not identical to plugging a cable in between devices, but's it's damn good at what it does for traversing layer 3 devices. It does require MAC addresses though, using ARP proxy or broadcast.

RED can pass MAC's over the tunnel. I have plenty of tunnels setup that do. Small sites have a vlan that is a bridge of another vlan on the main Sophos device. They operate as if they are on the same network. This is all based on using RED devices, like RED50.

RED S2S is a little different. It doesn't matter if you are using a software appliance or hardware. SFOS does not like bridging networks that exists on 2 different SFOS appliances in my experience. I always just create a /30 for the P2P interface and route the traffic between firewalls. It's cleaner in the end. You are not sending broadcast and multicast traffic over the tunnel, using up your bandwidth. This works with hardware appliances or software.

Sophos has sales engineers that will help you evaluate this setup. They can get high level engineers involved if needed. If your plan is to try to run XG home in production, I would advise against it. It's against the license terms and isn't supported. You can run the trial version of XG for fully supported configs.

Mike

Its not against license terms. I get license from Sophos, for XG Home. But have you tested RED tunnel? Between software server (running on Vmware, Hyper-V or plain PC) and software client?  Do VLAN-s works?