Skip to content

Bridge interfaces

You can set up a bridge interface over physical and virtual interfaces.

Bridges enable you to configure transparent subnet gateways. You can create bridge interfaces with or without an IP address assigned to them.

Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent packet drop because of NAT rules, you must specify the override source translation setting.

To turn on routing on a bridge interface, you must assign an IP address to it. You can't turn on VLAN filtering on routed traffic.

To allow traffic between bridged interfaces, you must create a firewall rule allowing traffic between the zones assigned to the interfaces. For example, for bridged interfaces configured with LAN zones, create a firewall rule to allow traffic from LAN to LAN.

You can create bridge interfaces in the following setups:

  • Bridge over physical interfaces, such as ports and RED devices.
  • Bridge over virtual interfaces, such as VLANs and LAGs. The VLAN can be on a physical or virtual interface. It can also be on physical interfaces that are bridge members.

You can turn on STP (Spanning Tree Protocol) to prevent bridge loops, which occur due to redundant paths. You can filter VLAN traffic passing through a bridge interface based on the VLAN IDs. Additionally, you can filter Ethernet frames based on the EtherTypes.