Does the Sophos XG lack PVID-assignment functionality !?

Question

After having messed around with the webgui of Sophos XG (Home) on the HP T620 Plus & Intel I340-T4 NIC for a while, I have came to the conclusion that Sophos XG's VLAN feature set lacks the ability to assign PVID on the ports of the I340-T4. Having looked through some network maps of the troubleshooting posts here on the Sophos XG Forum, I found that most if not all of the working layouts consist of at least 1 802.1Q-compatible managed switch being connected to a VLAN interface of the XG via an RJ45 port. Only then that endpoint devices can be recognised and connected to the XG's network. Some example layouts can look like this :

Hence the conclusion. If this is true, then I believe that this is an Achilles Heel of the XG when compared to other router solutions, e.g. Ubiquiti's EdgeOS, which allows assigning PVID on every one of the router's LAN port :

I don't believe that adding the PVID functionality into the Sophos XG will cannibalise the sale of Sophos' managed switches, as Ubiquiti sell both their routers & managed switches very well. 
 Article on PVID: docs.oracle.com/.../index.html 
 Does Sophos plan to add this PVID functionality to its XG line of product later on or can I raise a feature request ?

LuCar Toni · Answer

After rethinking this scenario, i still cannot come up with a scenario, where you want to do this. 
 So: In case you have multiple devices in one location and you want to do VLAN, you actually do not need VLAN. You can plug in all devices into the firewall and do a Layer 2 bridge, as all devices are in the same network, i does not matter, if VLAN or not. They are connected. 
 If you have a VLAN for certain devices managed by a Switch and one device directly connected to the Firewall, why not connect this device to the switch as well? 
 The point is: VLAN is to segment a network. You do not have to segment a network, which only exists in your head. If you have for example 3 devices directly connected, a Layer 2 Bridge will do the same job. The devices do not care if there is a VLAN or not. In the end you have a own subnet. That is the result of a Layer 2 bridge as well. 
 PVID can only assign one VLAN to a certain Port. This means it will tag only one VLAN to it. If you want to tag untagged to Tag for some reason, that is some other scenario.

Farshid · Answer

Hi J 
 I don't know if I completely understood your requirement, But I think this would be a workaround for your problem: 
 - Create a bridge interface with that specific interface ( You will need to add another interface to bridge even if you don't need it. You should have spare interface ) 
 - Make sure " Enable routing on this bridge pair" is activated on bridge interface configuration so you could use bridge interface as routed interface. 
 - On CLI, select 4.device console and use "system vlan-tag set interface" command to set a vlan tag for bridge interface.

LuCar Toni · Answer

Assigning a VLAN to a Port is likely a Switch Job. This would be likely interesting for smaller deployments, if they want to mix VLAN with LAN (bridging). But even smaller deployments which starts VLAN get a Switch in such terms. To do PVID on a firewall, this is actually something rarely requested.

Farshid · Answer

Actually what Locar is saying make sense. Create VLAN 11 on Netgear switch and connect wireless mesh network to same switch. Then you can create a LAG interface on FW (Port3 + Port4) and config required settings on switch for LACP. This way you will have 2Gbps bandwidth between switch and FW to handle all networks and devices traffic. Under LAG interface on FW, you will need to create 3 vlan interface 9,11,17. Unless there is physical limitation on connecting wireless mesh network to switch, this is your best bet. 
 In case you cannot connect wireless network to switch, you can connect port 3 to wireless as you described and set native vlan on wireless networks to vlan id 19. 
 Also, I am assuming you have already tried creating vlan 19 sub interface under port3 and connecting it to wireless network and it didn't work so you are looking for PVID. 
 My original suggestion will tag traffic generated by bridge interface and probably will not work for your scenario.

Does the Sophos XG lack PVID-assignment functionality !?

Top Replies