Interface to carry VLAN and VLAN 1 Untagged

On my test network I have the default VLAN 1, then I have 2 VLANs (20,30)
On the firewall, I made interface 5 type VLAN, and I can add VLANs 20,30 as Tagged, but how can I add VLAN 1 also to interface 5?

So that way, it carries VLAN 1, 20,30

Comments

  • edited June 2022

    Because on my existing live network, I only have VLAN 1. I need to create a new network, using VLANs. My plan is to have an uplink from the firewall (carrying VLAN 1 as untagged and 5 as tagged) to the managed switch (carrying VLAN 1 as untagged and 5 as tagged). This way I don't need to run any new cables.

    Then I can split the switch to carry existing VLAN 1 traffic, and the other ports on the switch to carry VLAN 5 traffic.

  • I'm used to working on Meraki, so I'm new to WatchGuard. On the Meraki, I could make the port a trunk port, and allow all traffic. I don't see an option to do that on the WatchGuard.

  • What would happen if I change the trusted interface to VLAN?

  • You can have the same VLAN on 2 firewall interfaces.

    Configure One VLAN Bridged Across Two Interfaces
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/vlan_example_1vlan_2switches_c.html

    You can have VLAN 1 be untagged with VLAN 5 being tagged on the same firewall interface.
    In Policy Manager, at the bottom of the Interface page for a VLAN interface, there is an option to select an untagged VLAN.
    I assume there is a similar option in the Web UI.

  • You can have the same VLAN on 2 firewall interfaces.
    Yes, that's how I have it on my test firewall now. I have interfaces 5 & 6 as VLAN type, and I'm able to set them either tagged or untagged by going to the VLAN page. Just like it is on the link above.

    I'm looking for a way to add the other non VLAN network to interface 5 also.

    So what would happen if I change the interface from Trusted to VLAN? Let's say my live network is a flat network, 10.0.0.1, and the interface type is Trusted.

    What happens if I change the interface type to VLAN? I would have to create a VLAN 1, by going to the VLAN page?

    Then the uplink to the switches, since they're untagged now, I need to make the uplink port from the WatchGuard to the switch an untagged also?

  • Q. What happens if I change the interface type to VLAN? I would have to create a VLAN 1, by going to the VLAN page?
    A. yes - only defined VLANS can be on an interface type = VLAN

    Q. Then the uplink to the switches, since they're untagged now, I need to make the uplink port from the WatchGuard to the switch an untagged also?
    A. yes - for VLAN 1

  • But if I change the interface from Trusted to VLAN, wouldn't I lose connection the WatchGuard? Or just for a few seconds while the changes are made?

    And what about any Firewall policies? If I change the interface from trusted to VLAN? Would they automatically update the new change?

    Because if this is possible, this is good because then I don't need to run a new cable. Because I can make the Trusted to VLAN, make it a member of VLAN 1 and 20,30, so that one interface carries all 3 VLANs.

  • Consider using WSM Policy manger to make changes such as this.
    With Policy Manager, no changes are made to the firewall until you upload a changed config to the firewall. You can make many changes using Policy Manager with no immediate affect on your firewall.
    With Policy Manager, configs are saved to disk on the WSM PC, so you can have easy backups.
    In Policy Manager -> File -> Save - select "Always create a backup" to get a time & date stamped config for every uploaded config change.

    With the Web UI, each individual change is made the the running config.
    There are no automatic way to have config changes save with the Web UI, making it harder to recover from bad changes.

  • edited June 2022

    Thank you, I was able to make the change from the Web GUI.
    So these were my prior settings:

    VLAN 20 Admin, 10.0.20.1 /24
    VLAN 30 CMM, 10.0.30.1 /24
    Interface 1, Trusted 10.0.100.1 /24
    Interface 5 VLAN (VLANs 20,30 both Tagged)
    Interface 6 VLAN (VLANs 20,30 both Tagged)
    Netgear switch 10.0.100.100 (Switch port 1 Untagged) connected to interface 1

    These are the changes I made
    I created a temporary network on Interface 2, 10.0.50.1 /24
    Then logged out of the WebGui (10.0.100.1), and logged in via 10.0.50.1
    Then:
    Interface 1, Trusted to Disabled, lost connection to Netgear switch
    Created a VLAN 1 with original Interface 1 subnet settings, 10.0.100.1 /24
    I named VLAN 1 IT, 10.0.100.1 /24
    So Interfaces 1, 5, 6 are type VLAN
    For VLAN 1, Interface 1U, 5T, 6T
    For VLAN 20, interface 5T, 6T
    For VLAN 30, interface 5T, 6T
    Connected to Netgear switch on Interface 1, got connection back
    Logged out WebGui, 10.0.50.1
    Logged back in via 10.0.100.1
    Interface 2, Disabled

    I'm sure there might be an easier, and I guess that's where the WSM Policy manager comes in. Where can I download the WSM Policy manager from? When I Google it, its returning this, https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/installation/install_wsm_wsm.html

  • From the software downloads site
    https://watchguardsupport.secure.force.com/software/

    You can find it from the support site Support -> Technical Resources

  • Thank you

  • Correct me if I'm wrong, but I guess the WSM Policy Manager is now WatchGuard Systems Manager?

    Because I'm not able to find WSM Policy Manager.

    Is there a direct link?

  • WSM = WatchGuard System Manager
    Policy Manager is a part of WSM.
    WSM contains a number of components.

  • Ok thanks again for your help

Sign In to comment.