Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does the Sophos XG lack PVID-assignment functionality !?

After having messed around with the webgui of Sophos XG (Home) on the HP T620 Plus & Intel I340-T4 NIC for a while, I have came to the conclusion that Sophos XG's VLAN feature set lacks the ability to assign PVID on the ports of the I340-T4. Having looked through some network maps of the troubleshooting posts here on the Sophos XG Forum, I found that most if not all of the working layouts consist of at least 1 802.1Q-compatible managed switch being connected to a VLAN interface of the XG via an RJ45 port. Only then that endpoint devices can be recognised and connected to the XG's network. Some example layouts can look like this :

Hence the conclusion. If this is true, then I believe that this is an Achilles Heel of the XG when compared to other router solutions, e.g. Ubiquiti's EdgeOS, which allows assigning PVID on every one of the router's LAN port:

I don't believe that adding the PVID functionality into the Sophos XG will cannibalise the sale of Sophos' managed switches, as Ubiquiti sell both their routers & managed switches very well.

Article on PVID: docs.oracle.com/.../index.html

Does Sophos plan to add this PVID functionality to its XG line of product later on or can I raise a feature request ?



This thread was automatically locked due to age.
Parents
  • Hi J

    I don't know if I completely understood your requirement, But I think this would be a workaround for your problem:

    - Create a bridge interface with that specific interface ( You will need to add another interface to bridge even if you don't need it. You should have spare interface )

    - Make sure "Enable routing on this bridge pair" is activated on bridge interface configuration so you could use bridge interface as routed interface.

    - On CLI, select 4.device console and use "system vlan-tag set interface" command to set a vlan tag for bridge interface.

  • Hello buddy,

    thanks for your suggestion. My plan is that I am going to bind Ports #3 & #4 of my I340-T4 NIC into a bridge named ‘switch0’.

    Then I am going to create 2 VLANs bound to the physical ports and 2 more VLANs bound to the switch0 interface itself.

    Each VLAN is going to have its own subnet & DHCP range.

    Does your workaround work out for my plan ?

    Thank you in advance. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • If you plan to create 2 interface vlans under bridge interface, each vlan interface will tag packets according vlan id and you wouldn't need to tag the main bridge interface.

    My suggestion is for a scenario that you want to tag the traffic passed from bridge interface. 

  • Ok so your workaround does not help me out in this case, does it ?

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • Actually what Locar is saying make sense. Create VLAN 11 on Netgear switch and connect wireless mesh network to same switch. Then you can create a LAG interface on FW (Port3 + Port4) and config required settings on switch for LACP. This way you will have 2Gbps bandwidth between switch and FW to handle all networks and devices traffic. Under LAG interface on FW, you will need to create 3 vlan interface 9,11,17. Unless there is physical limitation on connecting wireless mesh network to switch, this is your best bet.

    In case you cannot connect wireless network to switch, you can connect port 3 to wireless as you described and set native vlan on wireless networks to vlan id 19.

    Also, I am assuming you have already tried creating vlan 19 sub interface under port3 and connecting it to wireless network and it didn't work so you are looking for PVID.

    My original suggestion will tag traffic generated by bridge interface and probably will not work for your scenario.

Reply
  • Actually what Locar is saying make sense. Create VLAN 11 on Netgear switch and connect wireless mesh network to same switch. Then you can create a LAG interface on FW (Port3 + Port4) and config required settings on switch for LACP. This way you will have 2Gbps bandwidth between switch and FW to handle all networks and devices traffic. Under LAG interface on FW, you will need to create 3 vlan interface 9,11,17. Unless there is physical limitation on connecting wireless mesh network to switch, this is your best bet.

    In case you cannot connect wireless network to switch, you can connect port 3 to wireless as you described and set native vlan on wireless networks to vlan id 19.

    Also, I am assuming you have already tried creating vlan 19 sub interface under port3 and connecting it to wireless network and it didn't work so you are looking for PVID.

    My original suggestion will tag traffic generated by bridge interface and probably will not work for your scenario.

Children