VLAN & LAN - same interface

Alex_91

Good morning everyone, I need to exit from USG FLEX 100H firewall on some ports untagged and on others tagged (because on some ports I need to connect a device, while on others I need to connect to a switch). Is this feasible? I would like to keep the same gateway.

Zyxel_Melen

Hi @Alex_91

Do you mean some internal ports to be a VLAN member, and some ports are non VLAN member(general interface only)? Like this?

Please help to describe more if this is not what you want.

Alex_91

No, I mean exactly that an interface (for example ge3) is untagged on port 3 (IP:192.168.168.1/24) and tagged on port 4, but with VLANx (VLAN168) (Obviously Port4 VLAN 168 must have same IP of 192.168.168.1, same interface!).

Because a PC is connected to port 3, while a switch carrying other VLANs is connected to port 4.

PeterUK

Its not possible with one USG

I get your way of thinking so that the USG would know traffic is by P3 untagged to go out to the internet then the reply the USG would know the session was by P3 to send traffic to P3 not to VLAN 168 P4. Of course you then have the problem of NAT inbound to WAN to then have P3 with 192.168.168.1/24 and P4 VLAN 168 with 192.168.168.1/24 which the USG would not know unless a option say this port P3 or MAC.

Its a very advanced way of manipulating traffic…

Zyxel_Melen

Yes, the firewall does not allow to do this. You need to connect with a switch and use the switch that support VLAN to control the VLAN tag.