Sophos XG over Proxmox, VLANs?

Question

Does anyone have VLAN success with Sophos XG over Proxmox and a managed switch?

Prism · Answer

Don't create the VLAN interface at Proxmox. 
 Create the VLAN "211" at "Port1" on Sophos Firewall. 
 What's happening right now is that you created a VLAN (Sophos Firewall) inside another VLAN (Proxmox vmbr2 interface). 
 As an example: At Sophos Firewall I have two VLAN's, one for Guest and another for IoT at "vmbr0" 
 
 But on Proxmox I have them setup without any VLAN's, only as bridges for the physical interfaces. 
 
 vmbr0 = "Wired - Auth". 
 PS; Use the Interfaces at Proxmox as "Physical Interfaces"(Only create the necessary bridges to use on the VM), leave VLAN's and everything else on Sophos Firewall.

FNG_117 · Answer

Prism apijnappels Thanks both of you, The proper way is to set up VLANs in Sophos only and leave Proxmox out of it. I attempted to use VLANs in Proxmox because of all the videos on Proxmox VLANs. Unfortunately, when Proxmox creates the new interface, Sophos sees it as a physical interface. Which makes sense because Sophos is a VM, but it does not know that, so any NICs attached to the VM config will be recognized as physical. Now I'm not positive because I didn't spend a bunch of time with different configurations troubleshooting the Proxmox VLANs, but I think that what happens is Sophos strips the tag because it thinks the NIC is physical. Even setting up a VLAN on the "pysical" VLAN didn't do much. Maybe there is a way to get that to work but this setup is simplified and the way I would like it to be. Here's how it is set up... 
 
 Proxmox: 
 
 Sophos VM in Proxmox:

Sophos Ports (WAN not displayed) and VLANs:

DHCP Servers: 
 
 A communication rule:

I change 211 to WiFi so here's the corresponding rule:

Switch PVID configuration:

Now the switch config was really the most difficult to understand. I found that I must not tag a port with a PVID and VLAN Member. How I understand it is that VLAN tags are exclusive to ports that traffic is intended to pass through with multiple VLANs for a specific PVID. For example, VLAN 117 is tagged on mg4 (the port to the router, PVID 1) and untagged on xmg6 which requires the PVID of 117. For some reason, if I tag xmg6 with 117 I have local network access but lose internet access. 
 
 This has been probably one of the coolest things I've done lately thanks to you guys for helping me understand how this stuff works.

apijnappels · Answer

This looks ok at first sight, however in the switch screenshot I don't see VLAN 117 but it is in Sophos. So VLAN 117 might not work in the rest of your network. 
 PS, if you do want to work with VLAN interfaces in Proxmox like you did before, then you create alle the necessary interfaces in Proxmox and just add every interface as an additional NIC in the Firewall VM. In that case you don't have any VLANs in XG but you have every network on a separate NIC.

Sophos XG over Proxmox, VLANs?

Top Replies