Two VLANs sharing uplink cable

Hi, I have tested a setup that I need to deploy into a data centre which works fine apart from the VLANs route to each other if sharing an uplink cable….this involves a layer 3 HP procurve (no routing setup) with 3 vlans, then cable uplinks to a spare WG XTM510 optional for two vlans and one to trusted for the third management vlan1. In production this will be a M200.

so switch has;
switch VLAN1 default management > cable to trusted > devices use GW Trusted DHCP on

switch VLAN20 servers > switch uplink cable tagged both vlans (both vlan20/30 use) to VLAN port on WG optional eth6 – devices use GW optional eth6 VLAN20 with DHCP. Trusted security zone.

switch VLAN30 servers > switch uplink cable tagged both vlans (both vlan20/30) to VLAN port on WG optional eth6 – devices GW optional eth6 VLAN30 with DHCP. Trusted security zone.

This all works fine, no vlan IPs or routing on the switch needed as the WG is doing that, but by default VLANs 20 & 30 can connect to each other as they share a cable and zone. I don’t want this to happen, so how can I separate the VLANs 20 and 30 “if sharing the same cable uplink to the WG”, or do I need an uplink per vlan? Or is it the security zones need changing on the optional port? Three outgoing rules on the WG, one per VLAN to external.

Everything, incoming sNATs etc and outgoing all works fine, I just need to stop the vlans 20 and 30 talking to each other. Hopefully I have explained this well enough.


  • Make sure that you do not have any policy From: Any-trusted To: Any-trusted
    That would allow VLAN20 & 30 to connect to each other.

  • Hi Bruce, no policies like that are in place.
    I thought maybe it was the security zones as they can be configured per VLAN on the WG. there must be a way of separating VLANs that are tagged on one uplink.


  • Consider opening a support incident.

    XTM should keep these VLANs isolated unless you have policies allowing that access.
    I have multiple VLANs from a WG AP over a single cable to my firewall, and those VLANs are isolated from one another.

    The other possibility is your switch is allowing this access somehow.

  • ok Bruce, makes sense, I will double check policies and switch config

    Although in my test setup, I have 2 x 3500yl 48G switches (both with vlan20 and vlan30 on them) and if I remove the Watchguard uplink they can not talk between VLANs, but vlan 20 can talk to vlan 20 on switch two and the same with vlan 30.


  • edited October 2019

    @Bruce_Briggs said:
    Make sure that you do not have any policy From: Any-trusted To: Any-trusted
    That would allow VLAN20 & 30 to connect to each other.

    in one of my multiple test configs I had ping any to any, that's it! as I was using PING to test connection from each vlan. No other type of connection works

    cheers Bruce

  • TomTom
    edited October 2019

    Your problem is because both VLANs are configured as a Trusted security zone. If you don't want to reconfigure these to optional or even better, custom, the quick and dirty way to stop these from communicating between each other would be to create an 'Any' Packet Filter policy which denies traffic between the two VLANs. The best way of checking how traffic is being allowed is to use Policy Checker. :#

  • hi Tom, once the ping (any to any) was removed there is now no traffic, I cant find much more info on security zones as thats the first place I looked, when you specify custom it did not seem to make much difference, I will look at those "zones" more now though when I get time.


Sign In to comment.