There are many use-cases for using NG Firewall in Bridge mode including placement behind another firewall, or having an ISP with equipment that cannot be bridged. Above and beyond that in a few cases you may also need to add VLAN tags to your bridged configuration. This article will step you through the process of setting up VLAN interfaces in bridged mode and then setting those as your main set of interfaces for all traffic passing through the NG Firewall.
IMPORTANT: Before proceeding with the steps outlined in this article on a device in production, make sure it is during a safe time to be taking down the network. You will need to make several changes that will prevent the normal flow of traffic until you are finished.
First, change your External interface to a currently unused IP address and subnet.
This step is required as you cannot have two interfaces with the same IP scheme defined on them in NG Firewall.
To Illustrate what this step is intended to do, let's assume that the current IP scheme is 10.10.1.0/24. You need to add a VLAN tag to that subnet for traffic to pass properly. You can change the External interface to something other than 10.10.1.0/24. This is completely arbitrary, as you will be disabling this interface at the end of this process.
Create your VLAN interfaces
The next step is to create the interfaces that will use the VLAN tags and bridge them to each other. This article outlines the process for doing this: Configure VLAN Interfaces in bridged mode
The External VLAN interface will be set up with the subnet originally on the External interface. Using the example from the previous step, that would be 10.10.1.0/24.
Disable the External and Internal Interfaces
Now that your VLANs are setup you can disable the External and Internal interfaces as they are no longer being used.
Now all that you have left to do is test that traffic flows as you expect it to. Congratulations! You've just set up VLAN-tagged interfaces as your primary bridged pair in NG Firewall!Follow