VLAN trunks and external interfaces - why untagged not accepted

I know the documentation (and certification exam!) mentions specifically that you can't assign a VLAN interface of type external as the untagged/native VLAN on a VLAN trunk port (instead you convert that port to a regular external interface), but more curious as to whether this is a technical or historic reason for doing so?

Reason is that I am creating some configuration templates for some Fireboxes to be deployed at multiple sites, but in some of the sites the MPLS WAN interface requires a VLAN tag and some do not, and we don't have the choice of which one to use due to differing physical setups (ie. the provider chooses based on numerous factors on their side).

Since our setup treats these as "external" (primarily to use with Multi-WAN which requires interfaces to be defined as external), it means having to keep two sets of templates - one where the VLAN tag is required, and one where it is native.
(The other external interface in my configuration is a straight Internet link, which a BOVPN tunnel will run over as a backup).

This might be more in the realm of a feature request (ie. to allow this setup), but not having worked with WatchGuard devices for that long relatively speaking, just wondering why this is the case.


  • james.carsonjames.carson Moderator, WatchGuard Representative

    My assumption is that it's simply a choice that was made at some point while VLAN support was being integrated into the firewalls. The ability to have a tagged VLAN as external is also somewhat recent.

    There is an existing feature request (FBX-6538) to support this type of configuration. If you'd like to track that item, please create a support case and mention that feature request number (FBX-6538) and the technician can set the case up to do that for you.

    -James Carson
    WatchGuard Customer Support

Sign In or Register to comment.