VLAN setting for untagged external ports.

eldon118eldon118
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

I am a newbie to VLAN for Watchguard FBs. I planned to migrate my two T50s to a M270 running V12.10.3 and wanted to route traffic for 2 VLANs 10 & 20 between a trusted port that is connected to a tagged trunk port of a H3C SW and 4 untagged external ports using SD-WANs: SDW10 for EXT1 + EXT2, and SDW20 for EXT3 + EXT4.

I started by setting up 2 trusted zones, TRU10 & TRU20, and adding the trusted port to both zones. I then created 2 policies: TRU10 -> Any External with SDW10, and TRU20 -> Any External with SDW20. Is this a common setting to ensure that VLAN 10 packets received at the trusted port get routed to EXT1 & EXT2, and VLAN 20 to EXT3 & EXT4?

For incoming traffic, I have no idea how I can route untagged packets from the external ports to the trusted port by using SNAT and tagging them with VLAN 10/20 according to which external ports they come from before sending them out to the H3C SW. I have tried setting up external zones, EXT10 & EXT20, but the VLAN IDs 10 & 20 have already been used by TRU10 & TRU20.

Would it be even more complicated if I added BOVPN to the picture?

Comments

  • Bruce_BriggsBruce_Briggs

    For incoming session traffic, the dest IP addr of the packet listed in the SNAT will cause the packet to end up with the correct VLAN tag as it leaves the VLAN port on the firewall.

    Q. Would it be even more complicated if I added BOVPN to the picture?
    A. not if packets from the BOVPN are headed to internal VLAN IP addrs, or internal VLAN packets are headed out the BOVPN.

  • eldon118eldon118

    Thanks for your prompt answers.

    Does it mean that if the IP addresses of the trusted zones TRU10 & TRU20 are 192.168.10.1/24 & 192.168.20.1/24, respectively, and the SNAT is configured as EXT1 -> 192.168.10.2, the packets arriving at EXT1 and leaving the trusted port to the H3C SW for destination IP 192.168.10.2 would be tagged with VLAN 10?

  • Bruce_BriggsBruce_Briggs

    For VLANs defined as tagged on a VLAN firewall interface, packets leaving that interface will be tagged with the VLAN tag associated with the subnet defined for that VLAN

  • eldon118eldon118

    Thanks for the clarification. Will try the settings accordingly.

Sign In to comment.