Apparently I don't get an IP from the DHCP listening to a VLAN interface. This might be because an IP for this machine has already been leased on a different interface. I came across this about how to set the global static option on the DHCP however the commands do not seem to apply to Sophos Firewall XG 18.0.3 anymore
Can you please advise?
Thank you for contacting the Sophos Community!
Please make sure the command is being run from the console and not the advanced shell.
The command should still work in 18.3
console> system dhcp…
console> system dhcp static-entry-scope globalconsole> system dhcp static-entry-scope showglobal
OK I did this although unfortunately it didn't solve my problem. I still don't get an IP if the DHCP is listening on the VLAN interface. If I set the IP manually then things work fine (i.e. the VLAN configuration is not messed up). If I set the DHCP on the physical interface things also work fine. Any ideas?
Thank you for the follow-up!
Can you take a screenshot of your interface VLAN, I don't think they are attached to your external interface (WAN Zone) are they?
If you do a tcpdump on the XG for the VLAN that you are handing the IPs do you see the requests coming?
tcpdump -eni Port3.99 port 67 or 68
Let me ask this question first because to me it is not very clear (and it is not inline with Sophos UTM either). Say I have one Ethernet port, in this case Port3. When I add a VLAN with ID 2, the VLAN acts as a virtual interface. I can then go and set it up in terms of IP address etc. However, the physical port Port3 still seems to require an IP address. What should that address be? What VLAN is Port3 on? 1?
In V17.5, you have to give Port3 a IP address. In V18, you can leave Port3 as it is and place a VLAN ontop on it (like UTM).
And no, it is not allowed to have the same Subnet range.
Since you have the same subnet in the VLAN and the interface the DHCP relay will not work. You would need to change the subnet either in the Port or in the VLAN, as Luca mentioned, in v18 you could leave the port without any IP and just put the VLAN in there with the IP 192.168.50.2 if you wanted to. Regards,
Thank you everyone for your replies, much appreciated. I eventually went a different route and I abandoned VLANs from inside the firewall altogether. I virtualised the system using ESXi and I am now handling VLANs at the ESXi and switch level using trunking. All the best!