Same VLAN ID on two different Interfaces

We have the problem that our carrier needs packets coming from our FB external interface to be tagged with VLAN ID 7. This is no problem so far as the firebox supports VLANs on external interfaces. However the problem starts as we want to connect a second external interface to another carrier which also requires the same VLAN ID tags.

If you try to create a second external VLAN with the same ID WSM gives you an error message that the VLAN ID already exists.

Any ideas how to solve this?

Cheers.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @offbyone

    The firebox will only allow one vlan to be tagged that way, so if you need to tag multiple external interfaces with the same VLAN ID, there's not going to be any way around that.

    For the short term, I'd suggest the following:
    -See if they will allow the VLAN to be tagged as any other VLAN ID, or if they'll allow the traffic to arrive untagged, and mark it as 7 on their equipment.
    -If they can't or won't do this, then consider adding a small VLAN capable switch to take the untagged traffic, and tag it as VLAN7.

    If you'd like, I can make a feature request to see if anything can be done about this on the Firebox side. However, since this is requesting that the firewall essentially call and tag two networks the same thing, this might not be possible.

    Thank you.

    -James Carson
    WatchGuard Customer Support

  • For the short term, I'd suggest the following:
    -See if they will allow the VLAN to be tagged as any other VLAN ID, or if they'll allow the traffic to arrive untagged, and mark it as 7 on their equipment.

    No the carrier requires ID 7 in all packets, untagged packets are not accepted.

    If you'd like, I can make a feature request to see if anything can be done about this on the Firebox side. However, since this is requesting that the firewall essentially call and tag two networks the same thing, this might not be possible.

    As you can mark which VLANs are assigned to which physical interface I would suspect it should be possible (at least for external interfaces). So for me it looks more that development did not have this use case in mind and added this check to prevent the user from assigning a VLAN ID twice accidentally.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @offbyone

    I checked with our development team, and at this time, the Firebox wouldn't be able to differentiate the traffic. There is a feature request to allow this functionality, and it is FBX-8225.

    You'll have two options for the time being:

    1. Leave the traffic un-tagged, and use a switch to tag that traffic as VLAN7 to the second ISP device.

    2. Add the second ISP's traffic as a secondary IP address in the existing external interface, and use a switch to send each one to their respective ISP.

    If given a choice, I'd suggest #1, as #2 creates a single point of failure for both external interfaces (the switch,) and each ISP may not appreciate getting ARP broadcasts, etc, sent to the other.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    thanks for your efforts.

    Cheers.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @offbyone

    Thanks! Sorry we couldn't be of more help right now on this.

    If you'd like to, or need to track that feature request, please open a support case. Just mention that you spoke with me and want to track feature request FBX-8225 somewhere in the ticket. Unfortunately, there's no way for the forum system to notify you when that request is ready.

    Have a great day!

    -James Carson
    WatchGuard Customer Support

  • edited April 2021

    I'm also in need of this feature but on trusted VLAN interfaces. Azure Expressroute requires a primary and secondary link to both be tagged with the same VLAN ID.

    So for example, the primary link is plugged into physical interface 3 and secondary link into physical interface 5. I can only get connectivity to Expressroute over primary link because the Firebox prevents assigning the same VLAN ID to secondary physical interface.

Sign In to comment.