VLAN trunks and external interfaces - why untagged not accepted

I know the documentation (and certification exam!) mentions specifically that you can't assign a VLAN interface of type external as the untagged/native VLAN on a VLAN trunk port (instead you convert that port to a regular external interface), but more curious as to whether this is a technical or historic reason for doing so?

Reason is that I am creating some configuration templates for some Fireboxes to be deployed at multiple sites, but in some of the sites the MPLS WAN interface requires a VLAN tag and some do not, and we don't have the choice of which one to use due to differing physical setups (ie. the provider chooses based on numerous factors on their side).

Since our setup treats these as "external" (primarily to use with Multi-WAN which requires interfaces to be defined as external), it means having to keep two sets of templates - one where the VLAN tag is required, and one where it is native.
(The other external interface in my configuration is a straight Internet link, which a BOVPN tunnel will run over as a backup).

This might be more in the realm of a feature request (ie. to allow this setup), but not having worked with WatchGuard devices for that long relatively speaking, just wondering why this is the case.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    My assumption is that it's simply a choice that was made at some point while VLAN support was being integrated into the firewalls. The ability to have a tagged VLAN as external is also somewhat recent.

    There is an existing feature request (FBX-6538) to support this type of configuration. If you'd like to track that item, please create a support case and mention that feature request number (FBX-6538) and the technician can set the case up to do that for you.

    -James Carson
    WatchGuard Customer Support

  • Options

    Have now finally deployed a Firebox with 12.8 for the scenario I was describing above, and sure enough it was lucky that 12.8 included this feature.

    Turns out that even though the WAN provider specified to use a VLAN tag, when they provisioned the hand-off, they set their side as "untagged" so was thankful (after troubleshooting) that all I had to do was to make the external VLAN untagged on that specific interface rather than redoing the configuration as would have been the case with 12.7.x or earlier.
    (I had written up the configuration and refined it for about 3 months before we got to deploy the Firebox).

    I have another 3 remote sites to deploy on this same WAN, and 2 of these specify a VLAN tag, so thankful the option to switch the external VLAN interface exists.

Sign In to comment.