Description:

This article describes how to set up a bridge in conjunction with VLAN on a LANCOM R&S®Unified Firewall.

VLANs cannot be stored directly in the bridge. The VLANs must instead be assigned to the Ethernet interfaces. The resulting VLAN interfaces can then be combined to a bridge.

If several VLANs are operated, the configuration quickly becomes very complicated because each VLAN must be assigned to all of the Ethernet interfaces in the bridge (i.e. two VLANs and two Ethernet interfaces will produce four VLAN interfaces). Furthermore, each VLAN requires the creation of a separate bridge group. This is necessary so that each VLAN can be assigned its own network. 


Requirements:

  • LCOS FX as of version 10.12 (download latest version)
  • Web browser for configuring the Unified Firewall

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox

Scenario:

  • The Ethernet interfaces eth1 and eth2 should be combined to a bridge.
  • The VLANs 100 and 200 should be used in the bridge.
  • A separate network should be created for each VLAN.
    • The VLAN 100 has the IP address range 192.168.100.0/24.
    • The VLAN 200 has the IP address range 192.168.200.0/24.

Procedure:

1) Configuring the VLAN interfaces and the bridge:

1.1) Using the web interface, navigate to the menu Network → Interfaces → VLAN Interfaces and click on the “+” icon to create a new VLAN interface.

Screenshot of a network configuration interface showing various settings including VLAN interfaces, DHCP interfaces, DNS accounts, and Ethernet configurations.

1.2) Create the VLAN interfaces for VLAN 100 on the Ethernet interfaces eth1 and eth2.

  • For the first VLAN interface, enter the following parameters and click Create:
    • Master Interface : Select the first Ethernet interface (in this case eth1).
    • VLAN Tag : Enter the VLAN-ID 100.

Screenshot of a technical configuration interface displaying options for network settings, including hardware address, master interface, VLAN tag, and MTU limitations due to kernel restrictions.

  • For the second VLAN interface, enter the following parameters and click Create:
    • Master Interface : Select the second Ethernet interface (in this case eth2).
    • VLAN Tag : Enter the VLAN-ID 100.

An image of a network configuration dialog box showing fields for Name, Hardware Address, Used by, Master Interface, VLAN Tag, with a note on MTU limits due to kernel restrictions.

1.3) Create the VLAN interfaces for VLAN 200 on the Ethernet interfaces eth1 and eth2.

  • For the third VLAN interface, enter the following parameters and click Create:
    • Master Interface : Select the first Ethernet interface (in this case eth1).
    • VLAN Tag : Enter the VLAN-ID 200.

Screenshot of a network interface configuration dialog showing fields for name, hardware address, master interface, VLAN tag, and MTU, with a notification about kernel MTU restrictions.

  • For the fourth VLAN interface, enter the following parameters and click Create:
    • Master Interface : Select the second Ethernet interface (in this case eth2).
    • VLAN Tag : Enter the VLAN-ID 200.

Screenshot of a network configuration interface dialog showing settings like Name, Hardware Address, Master Interface, VLAN Tag, and MTU with a notice about kernel restriction on MTU values.

1.4) Navigate to the menu Network → Interfaces → Bridge Interfaces and click on the “+” icon to create a new bridge.

Screenshot of a network configuration interface displaying settings such as DHCP interfaces, DNS, DynDNS accounts, and various network bridge interfaces.

1.5) Create a bridge for VLAN 100 and, under Ports, select the VLAN interfaces created in step 1.2 (in this example vl100eth1 and vl100eth2).

Then click Create.

Screenshot of a network configuration interface showing settings for BridgeInterface, including fields for name, hardware address, ports, Spanning Tree Protocol settings, and options to cancel or save changes.

1.6) Create a bridge for VLAN 200 and, under Ports, select the VLAN interfaces created in step 1.3 (in this example vl200eth1 and vl200eth2).

Then click Create.

Image showing the interface configuration dialog of BridgeInterface C, displaying settings like hardware address, ports, MRU, spanning tree protocol details, and associated network parameters.



2) Creating the networks:

2.1) Change to the menu Network → Connections → Network Connections and click on the “+” icon to create a new connection.

Image displaying a technical network configuration interface, highlighting various connection statuses and types, such as PPP, WAN, and LAN connections with dynamic and static settings.

2.2) Create a new network connection for the VLAN 100 and modify the following parameters. Then click Create.

  • Name : Enter a descriptive name for the network connection (in this example Bridge-VLAN-100).
  • Interface : From the drop-down menu, select the bridge created in step 1.5 (in this case br0).
  • IP Addresses : Enter the required IP address for this connection in CIDR notation, in this example 192.168.100.254/24.

Screenshot of a network configuration interface showing options for Bridge VLAN, interface settings, static type, and network status details including internet connection and public IP address.

2.3) Create a new network connection for the VLAN 200 and modify the following parameters. Then click Create.

  • Name : Enter a descriptive name for the network connection (in this example Bridge-VLAN-200).
  • Interface : From the drop-down menu, select the bridge created in step 1.6 (in this case br1).
  • IP Addresses : Enter the required IP address for this connection in CIDR notation, in this example 192.168.200.254/24.

Image showing a network configuration interface for setting up a Bridge VLAN, including fields for Name, Interface, Type, and Public IP Address, with options to save or cancel changes.

2.4) Click the create a network button to create desktop objects for the networks.

The image displays a partial view of a technical user interface with unclear text.

2.5) Create a desktop object for the network with VLAN 100 and modify the following parameters. Then click Create.

  • Name : Enter a descriptive name for the network (in this example Bridge-Network-VLAN-100).
  • Interface : From the drop-down menu, select the bridge created in step 1.5 (in this case br0).
  • Network IP : Enter the network address of the network connection created in step 2.2 in CIDR notation (in this example 192.168.100.0/24).

Screenshot of a network configuration interface showing options for VLAN bridge settings, IP exemptions from scanning, and antivirus settings, with a notification that changes will be preserved unless cancelled or logged out.

2.6) Create a desktop object for the network with VLAN 200 and modify the following parameters. Then click Create.

  • Name : Enter a descriptive name for the network (in this example Bridge-Network-VLAN-200).
  • Interface : From the drop-down menu, select the bridge created in step 1.6 (in this case br1).
  • Network IP : Enter the network address of the network connection created in step 2.3 in CIDR notation (in this example 192.168.200.0/24).

Image of a network configuration interface showing options like VLAN settings, IP configuration, and security exemptions such as anti-virus and IOS IPS scanning.

2.7) Finally, implement the changes by clicking Activate.

Image of a technical user interface displaying settings related to the 'Firewall.'



Further steps:

Below you will find suitable articles for further configuration:


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH