Skip to content
The XG Series hardware appliances reached end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-interfaces-RED-behavior

RED device requirements and traffic behavior

Learn about the RED device requirements and traffic behavior.

Requirements

The following ports must be allowed by your ISP:

  • TCP 3400
  • UDP 3410
  • NTP 123

VLAN behavior in SD-RED 60

The table below shows how traffic is handled across all ports.

Modes VLAN traffic Non-VLAN traffic

Untagged hybrid port

(Only one VLAN configuration is allowed)

 Forwarded: Any VLAN traffic is forwarded without change. Forwarded: Non-VLAN traffic is tagged using the specified VLAN.

Untagged, drop-tagged access port

(Only one VLAN configuration is allowed)

 Dropped: All VLAN traffic is dropped. Forwarded: Non-VLAN traffic is tagged using the specified VLAN.

Tagged trunk port

(Multiple VLAN ID configuration allowed)

 Forwarded: Traffic matching configured VLANs is forwarded, and traffic that doesn't match is dropped. Dropped: Non-VLAN traffic is dropped.
Disabled Dropped Dropped

Warning

You can only tag VLAN traffic in SD-RED 60 in standard/unified mode.

When you set the LAN switch port mode to VLAN, SD-RED 60 encapsulates tagged and untagged traffic over the RED tunnel. This means that you can configure your remote switch port to replicate head office VLAN separation.

Tip

If you need the VLAN guest network behind the RED device to use the local gateway, you can route this traffic through an XGS series desktop model.

RED with Wi-Fi module

The traffic is handled according to the operation mode and wireless traffic type. Before you set up a RED with a Wi-Fi expansion module, you must meet the requirements for the mode.

If you configure REDs with the Wi-Fi expansion module as wireless access points, they use DHCP option 234 to communicate with Sophos Firewall.

Requirements

The following requirements must be met for wireless traffic:

  • A RED interface must be available and must have an IP address.
  • DNS must be resolvable on the RED interface.
  • For standard/unified and standard/split modes, a DHCP server must be running on the RED interface.
  • For transparent/spilt mode, the remote DHCP server must provide DHCP option 234, which contains the IP address of the RED interface on the firewall site. (Otherwise, 1.2.3.4 is used.)

RED operation modes

Based on the RED operation modes, traffic is forwarded as follows:

  • Standard/unified mode: All traffic from the RED is sent to the firewall.
  • Standard/split mode: All traffic from the split networks is sent to the firewall. All other traffic is sent to the default gateway specified by the remote DHCP server. This is usually the router to which the RED is connected at the remote site.
  • Transparent/split mode: Only split networks are reachable through the firewall. All other networks are routed through the router at the remote site. The remote network also provides DHCP and DNS. In this case, the RED interface must obtain an IP address through the remote DHCP server.

Wireless traffic type

The workflow for each wireless traffic type is as follows:

  • Separate zone: All traffic from a separate zone network is sent to Sophos Firewall using Virtual Extensible LAN (VXLAN) protocol. The packets are encrypted while crossing the RED tunnel. The separate zone networks are connected to each other in Sophos Firewall. You must configure Sophos Firewall to allow separate zone traffic for the RED interface.
  • Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This includes LAN ports 1–4. Clients connected to this SSID are able to reach the RED tunnel endpoint interface on the firewall site if the firewall allows traffic from the RED network to the RED interface.

  • Bridge to VLAN:

    • Standard/Unified: The RED will tag all traffic from clients connected to this SSID using the configured VLAN tag. Clients can reach all network devices with the same VLAN tag connected to LAN ports 1–4 and a VLAN-tagged interface on top of the tunnel endpoint interface on the firewall site.
    • Standard/Split: The clients can reach all hosts behind the RED that own the same VLAN tag. Also, the tunnel endpoint is reachable if a VLAN interface is configured on top of the RED interface on the firewall site. The split networks can't be reached as these are routed for untagged packets only.
    • Transparent/Split: The clients can reach all hosts behind the RED that own the same VLAN tag on LAN ports 1–4 and on the WAN port. The split networks can't be reached as these are routed for untagged packets only.