Allow interface port to be configured with just vlans
As it is right now you must assign an ip address to an interface and then add vlans. doesn't allow you to just assign vlans.

This functionality will be available in version 18 of SFOS.
To get early access to v18 right now, click here: https://events.sophos.com/v18eap
25 comments
-
Jindrich commented
I can confirm, that this works perfectly in XG18!
-
GAVIN commented
Hi. This appears to have been addressed in V18. I am running V18EAP2 presently, and have my Port2 set as unconfigured, and have a Vlan2 on that hardware port set with the PPPOE details of my ISP details
-
PigletJuggler commented
I tried working with this product back in April and couldn't believe this was a requirement. I got handed some line about XG using L3 instead of L2 for VLANs... no. You're just being stupid. Do it right. VLANs are L2. L3, where the IP information goes sits on top of that. The physical interface is just that, a physical interface. If I want an IP on a physical interface, I'll assign it an UNTAGGED VLAN. That's how it needs to work with any self-respecting network device.
-
Johan commented
It seems the focus is elsewhere. Sigh, no Sophos for me until this is fixed.
-
Joshua commented
17.5 is released and it's now 2019 still incapable of this, What is going on Sophos?
Without features and consideration of such things I'll be moving back to Pfsense in the next month. Its only a few forum posts away to see what other corners you cut right off.
-
Diego Baroni commented
+1 - SG allows it, because XG no?
-
Leandro Gregorio commented
I'm very disappointed with my transition from Pfsense to Sophos XG Firewall layer 8. Starting with a simple firewall rule creation needing to show me a country list.
My environment have a lot of Vlans (Servers, Cable network, Corporate Wifi(radius), Guest Wifi, Telefony, CCTV) without this feature I think that a lot of users are going to configuring VLANs and DHCP Relay at the switch port.
Sophos, feedback to your users are important. -
Jaco commented
+1 This "dummy" IP address also gets added as first remote host entry in ovpn config file when trying to vpn to the underlying VLAN adapter, as it's tagged in the same zone.
-
Computer Concepts commented
+1. I made the switch to Sophos from Cisco ASAs over the past couple of years. VLAN tagging has been available on that platform for years. This is extremely disappointing, especially when I see that other users have been making a feature request for over 2 years now.
-
cyberzeus commented
+1 - IP and L2 services should be orthogonal and not be tied to one another. Furthermore, one can - and often does - use L2 and not need L3 services and vice-versa...never a good idea to tie these together as it limits the possible configs AND provides no benefit...
-
Daniel Heinze commented
Why is that still not working after 2 Years?
Is it possible to add this "feature" ?
-
Chris commented
-
Chris commented
+1
-
Ian Rogers commented
As an extension/byproduct of this allow VLANs on an interface to be configured with IPv4 / IPv6 addresses regardless of if the main interface has them assigned.
Currently to assign an IPv6 Address to a VLAN, the interface must also have an IPv6 Address
-
James Gillies commented
Totally agree with this request. I have been able to do this for years in UTM, create an Ethernet VLAN sub-interface on my (Internal) trunked Interface and away you go - no need to create a dummy IP on the interface itself just to appease the UI logic.
-
Rob Grafton commented
This is certainly needed, it is present on the Cyberoam OS, Drayteks, sonicwalls and pretty much everything else it just seems backwards that we need to create a physical port (that does not work) then another wan port on top of that.
-
Bill Roland commented
I was baffled to see VLAN tagging is missing, but even Meraki in their woefully simple firewalls allows it.
-
Anonymous commented
Just as this works with UTM 9...
-
Anonymous commented
Sh17... so there is others having trouble with LAG ip's.......
-
lferrara commented
Even VLAN Tagging is missing as wanhafizi wrote. Needed VLAN layer 2 and VLAN TAG per interface.