This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does the Sophos XG lack PVID-assignment functionality !?

After having messed around with the webgui of Sophos XG (Home) on the HP T620 Plus & Intel I340-T4 NIC for a while, I have came to the conclusion that Sophos XG's VLAN feature set lacks the ability to assign PVID on the ports of the I340-T4. Having looked through some network maps of the troubleshooting posts here on the Sophos XG Forum, I found that most if not all of the working layouts consist of at least 1 802.1Q-compatible managed switch being connected to a VLAN interface of the XG via an RJ45 port. Only then that endpoint devices can be recognised and connected to the XG's network. Some example layouts can look like this :

Hence the conclusion. If this is true, then I believe that this is an Achilles Heel of the XG when compared to other router solutions, e.g. Ubiquiti's EdgeOS, which allows assigning PVID on every one of the router's LAN port:

I don't believe that adding the PVID functionality into the Sophos XG will cannibalise the sale of Sophos' managed switches, as Ubiquiti sell both their routers & managed switches very well.

Article on PVID: docs.oracle.com/.../index.html

Does Sophos plan to add this PVID functionality to its XG line of product later on or can I raise a feature request ?



This thread was automatically locked due to age.
Parents
  • Assigning a VLAN to a Port is likely a Switch Job. This would be likely interesting for smaller deployments, if they want to mix VLAN with LAN (bridging). But even smaller deployments which starts VLAN get a Switch in such terms. To do PVID on a firewall, this is actually something rarely requested. 

    __________________________________________________________________________________________________________________

  • I believe that once the XG software has been added with PVID functionality, this will make the XG OS much more appealing to professional IT and homelab users alike, because now theXG can work with both 802.1Q & non-802.1Q devices. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • After rethinking this scenario, i still cannot come up with a scenario, where you want to do this. 

    So: In case you have multiple devices in one location and you want to do VLAN, you actually do not need VLAN. You can plug in all devices into the firewall and do a Layer 2 bridge, as all devices are in the same network, i does not matter, if VLAN or not. They are connected.

    If you have a VLAN for certain devices managed by a Switch and one device directly connected to the Firewall, why not connect this device to the switch as well? 

    The point is: VLAN is to segment a network. You do not have to segment a network, which only exists in your head. If you have for example 3 devices directly connected, a Layer 2 Bridge will do the same job. The devices do not care if there is a VLAN or not. In the end you have a own subnet. That is the result of a Layer 2 bridge as well. 

    PVID can only assign one VLAN to a certain Port. This means it will tag only one VLAN to it. If you want to tag untagged to Tag for some reason, that is some other scenario. 

    __________________________________________________________________________________________________________________

  • Here is my intended network map. At the moment, this very same layout is being deployed on the Ubiquiti Edgerouter X SFP. Its built-in pvid functionality has made this layout possible:

    Due to the I340-T4 nic on the HP t620 plus having so few lan ports, I plan to use this layout when moving from the Ubiquiti one to Sophos XG. But then, my Linksys Velop on VLAN11 will not work because the Sophos XG does not have PVID functionality built into it.

    Just look forward to you and the devs implementing pvid functionality on v19.5. This is all I can do for now. Pls consider my suggestion. Thank you very much in advance. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • V19.5 is something, which is already in the works. And this request is rarely asked. So i am not sure if this will "ever" come into the product. The best solution could be to simply "not using VLAN11". Because why should you use VLAN11? Is VLAN11 used anywhere else? Because you could connect the network of eth3 without VLAN and a Bridge. Look at this as a own Network with own Zone. Because in the End, if VLAN11 exists, it is a own network. 

    __________________________________________________________________________________________________________________

  • He would be better off spending a little money and buying an 8 port version of the switch he is using. Then his network would not need to be some complex,

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • He would be better off spending a little money and buying an 8 port version of the switch he is using. Then his network would not need to be some complex,

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • A good (no knockoffs, no TP-Link, Huawei, etc.) 8-port managed switch is not cheap. Implementing PVID functionality in to the XG will ensure that every wireless AP can work with it, regardless of its 802.1Q compatibility.

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.