Sophos XG Bridge Mode in Multi Vlan Enviroment

Hi,

you need to configure the VLANs in the XG interfaces. You will need firewall rules between VLANs.

Ian

VLAN on the bridge port should it be or on a physical port? 

Hi,

I have never tried creating VLANs in a bridge and I suspect you can't, you would need to create the VLANs against each physical interface.

Ian

Interestingly i'm just embarking on a very similar scenario.
What i'm not clear on for your case, is the XG also the router or just the firewall?

Hello Samir,

Could you share the documentation that you referred to on configuring your setup? If you may also share your network setup/diagram that would be much appreciated.

Further, could you try this community RR if it would be able to help you on your scenario:  Sophos Firewall: How to Configure Inter-VLAN Routing on Sophos Firewall 

I was able to configure multiple VLANs on 2 physical interfaces that I bridged on SFv20: 

Could you share with us the results after you followed the RR above if still does not work, could you also share the results of Log Viewer when you are initiating a traffic? 

Thanks for your time and patience and thank you for choosing Sophos.

Regards,

Hi GregBuff ,

Thanks for reaching out to Sophos Community.

Could you also try the below steps I have provided and share with us your results.

Thank you

Regards,

Hi Raphael Alganes

Thanks for the link to that article. Incidentally I've ended up doing a fairly similar config to that which is partially working - I'm just trying to troubleshoot if the issues are related to the endpoints that are not fully reachable or due to zones and/or firewall rules.

Can you confirm what the difference is between assigning a vlan to a bridge directly vs assigning to a port within a bridge group?
Such as if vlan100 is assigned to Port5 inside VLAB_BR1.

I believe the question is not about VLAN interfaces on the firewall, since the original poster refers to the router handling the inter-vlan traffic and not the firewall but rather if you have two bridged interfaces on the XG can you pass a vlan through that bridge and onto something else (in this case the router).

I believe this is the case, though I've not tried it myself (there is a "filter VLAN" option in the bridged interface settings which suggests that's possible).

Hello GregBuff ,

Thanks for the response and taking the time to update. 

You need to take note of the following warning before adding another interface to the existing bridge group

Then after saving, the interface would be added to the existing Bridge group in this example. I added Port4

If you would assign say a vlan60 to this existing bridge, it will be added to the Hardware with VLAB_BR1.60 , VLANID: 60

Hi Raphael Alganesa 

Apologies I mislead you.

I understand the process to add ports to an existing bridge. While having noted the warning it is a bit arbitrary.... Perhaps more useful if it said specifically what associated settings maybe lost/changed.

My query is centred on the difference between assignment of the vlan to a particular port that is already associated with a bridge group. Bit of a nested configuration....

Br0>port4>vlan3

Versus 

Br0>vlan7

If port itself is tagged inside the bridge group does it tag traffic egressing the that port? Does it strip the tag as it goes from port to bridge?

What happens to the tags when the bridge itself is tagged? Are all ports inherently tagged ports?

Can you make an untagged port that is associated with a specific vlan?

Thanks for your guidance