Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does the Sophos XG lack PVID-assignment functionality !?

After having messed around with the webgui of Sophos XG (Home) on the HP T620 Plus & Intel I340-T4 NIC for a while, I have came to the conclusion that Sophos XG's VLAN feature set lacks the ability to assign PVID on the ports of the I340-T4. Having looked through some network maps of the troubleshooting posts here on the Sophos XG Forum, I found that most if not all of the working layouts consist of at least 1 802.1Q-compatible managed switch being connected to a VLAN interface of the XG via an RJ45 port. Only then that endpoint devices can be recognised and connected to the XG's network. Some example layouts can look like this :

Hence the conclusion. If this is true, then I believe that this is an Achilles Heel of the XG when compared to other router solutions, e.g. Ubiquiti's EdgeOS, which allows assigning PVID on every one of the router's LAN port:

I don't believe that adding the PVID functionality into the Sophos XG will cannibalise the sale of Sophos' managed switches, as Ubiquiti sell both their routers & managed switches very well.

Article on PVID: docs.oracle.com/.../index.html

Does Sophos plan to add this PVID functionality to its XG line of product later on or can I raise a feature request ?



This thread was automatically locked due to age.
  • Assigning a VLAN to a Port is likely a Switch Job. This would be likely interesting for smaller deployments, if they want to mix VLAN with LAN (bridging). But even smaller deployments which starts VLAN get a Switch in such terms. To do PVID on a firewall, this is actually something rarely requested. 

    __________________________________________________________________________________________________________________

  • Hi J

    I don't know if I completely understood your requirement, But I think this would be a workaround for your problem:

    - Create a bridge interface with that specific interface ( You will need to add another interface to bridge even if you don't need it. You should have spare interface )

    - Make sure "Enable routing on this bridge pair" is activated on bridge interface configuration so you could use bridge interface as routed interface.

    - On CLI, select 4.device console and use "system vlan-tag set interface" command to set a vlan tag for bridge interface.

  • Hello buddy,

    thanks for your suggestion. My plan is that I am going to bind Ports #3 & #4 of my I340-T4 NIC into a bridge named ‘switch0’.

    Then I am going to create 2 VLANs bound to the physical ports and 2 more VLANs bound to the switch0 interface itself.

    Each VLAN is going to have its own subnet & DHCP range.

    Does your workaround work out for my plan ?

    Thank you in advance. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • In a homelab environment, not everyone can afford to buy a managed switch. Cheap stuff or knockoffs just do not meet expectation.


    It will be much appreciated if high-end switching capability can be added into Sophos XG. It will be almost perfect.

    The Ubiquiti EdgeRouter X SFP I am using has both routing, switching abilities as well as a basic firewall built in. I am considering moving to Sophos XG because of its hardened security features.

    It will be a steal for me if XG can have the PVID functionality added in later on with v19.5 for example. Much look forward to that. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • If you plan to create 2 interface vlans under bridge interface, each vlan interface will tag packets according vlan id and you wouldn't need to tag the main bridge interface.

    My suggestion is for a scenario that you want to tag the traffic passed from bridge interface. 

  • Ok so your workaround does not help me out in this case, does it ?

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • I believe that once the XG software has been added with PVID functionality, this will make the XG OS much more appealing to professional IT and homelab users alike, because now theXG can work with both 802.1Q & non-802.1Q devices. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • After rethinking this scenario, i still cannot come up with a scenario, where you want to do this. 

    So: In case you have multiple devices in one location and you want to do VLAN, you actually do not need VLAN. You can plug in all devices into the firewall and do a Layer 2 bridge, as all devices are in the same network, i does not matter, if VLAN or not. They are connected.

    If you have a VLAN for certain devices managed by a Switch and one device directly connected to the Firewall, why not connect this device to the switch as well? 

    The point is: VLAN is to segment a network. You do not have to segment a network, which only exists in your head. If you have for example 3 devices directly connected, a Layer 2 Bridge will do the same job. The devices do not care if there is a VLAN or not. In the end you have a own subnet. That is the result of a Layer 2 bridge as well. 

    PVID can only assign one VLAN to a certain Port. This means it will tag only one VLAN to it. If you want to tag untagged to Tag for some reason, that is some other scenario. 

    __________________________________________________________________________________________________________________

  • Here is my intended network map. At the moment, this very same layout is being deployed on the Ubiquiti Edgerouter X SFP. Its built-in pvid functionality has made this layout possible:

    Due to the I340-T4 nic on the HP t620 plus having so few lan ports, I plan to use this layout when moving from the Ubiquiti one to Sophos XG. But then, my Linksys Velop on VLAN11 will not work because the Sophos XG does not have PVID functionality built into it.

    Just look forward to you and the devs implementing pvid functionality on v19.5. This is all I can do for now. Pls consider my suggestion. Thank you very much in advance. 

    HP T620 Plus @ Sophos XG v19.5.3 MR3 - Build 652.

  • Actually what Locar is saying make sense. Create VLAN 11 on Netgear switch and connect wireless mesh network to same switch. Then you can create a LAG interface on FW (Port3 + Port4) and config required settings on switch for LACP. This way you will have 2Gbps bandwidth between switch and FW to handle all networks and devices traffic. Under LAG interface on FW, you will need to create 3 vlan interface 9,11,17. Unless there is physical limitation on connecting wireless mesh network to switch, this is your best bet.

    In case you cannot connect wireless network to switch, you can connect port 3 to wireless as you described and set native vlan on wireless networks to vlan id 19.

    Also, I am assuming you have already tried creating vlan 19 sub interface under port3 and connecting it to wireless network and it didn't work so you are looking for PVID.

    My original suggestion will tag traffic generated by bridge interface and probably will not work for your scenario.