There’s a succinct overview of interfaces in the USG 50 Command Line Interface manual, named “ZyWall USG 50_4.pdf”, on their site.
To learn about tagging, read about IEEE 802.1q.
The USG-50 manual gives a few pages to vlans, and no examples, which is a shame, because good examples will help people learn. Before discussing vlans, I need to define the term interface. In this router, it’s analogous to an ethernet interface card with a single IP address, except it is largely virtualized. An interface is the IP address where the router exists within a network’s IP address space. The router has four Ethernet ports for LANs, but none of these is an interface — interfaces are associated with ethernet port roles, each of which is associated with one or more ethernet ports. The router has three port roles: LAN1, LAN2, and DMZ. It seems like these roles cannot be changed (but you can rearrange the ports to be in different roles).
You can create a virtual interface that will appear at another IP address within the lan. (In Linux these used to be called aliases, and they have names like lan1:1.)
The interface connecting a vlan to the router is the vlan interface. The vlan interface is like a virtual interface; it has an IP address, and the vlan’s nodes send traffic to the router through that IP address.
The basic rule of vlans is that one interface can have multiple vlan interfaces. So, if you have the default setup for the ethernet ports P3 – P6, the interface lan1 is on ports P3 and P4, and they are basically connected like a switch, in hardware. lan1 is the interface. You can add one or more vlan interfaces to lan1.
Suppose we had two vlans on our switches, and they uplinked via port P3. You would set up two vlan interfaces, vlan1 and vlan2. Vlan1 would have an ip address, e.g. 10.20.12.254. Vlan2 would have a different ip address, e.g. 10.20.10.254. You could set the gateways to the WAN IP address, but I think you can leave this blank and it’ll default to the wan trunk (so the router will choose).
A vlan cannot span two interfaces. That is to say, you cannot create a vlan with the same name and assign it to two interfaces, hoping that the vlan’s traffic is routed across the interface. This isn’t a failure of the router. By definition, a vlan is just like a lan; a lan has one address on the router. The router then routes traffic between lans.
(However, vlan traffic should cross between P3 and P4, because that’s a switch, and they have the same interface. I say “should” because this hasn’t been tested, and it’s not noted in the docs so far. If the switch passes traffic, it’ll solve my dilemma about dual networks, below.)
An unusual setup is to have two distinct IP lans on a single switch. In that setup, the two IP lans cannot talk to each other. At least one of the networks would have static addresses. It’s not clear how this would work with vlans and the usg-50. The vlan interface has an IP address, and all the vlan traffic can communicate only with that IP address. If you try to create two vlan interfaces with the same vlan ID, it isn’t allowed.
You shouldn’t put two IP lans on one vlan, anyway. It’s bad form. You’ll have broadcast traffic across the two lans that both lans will see, and need to process, consuming CPU. The whole point of having vlans is to mitigate the effects of broadcast traffic. So use the vlans feature to create two separate IP lans, one per vlan. Then it’ll be easy to set up the vlans to route through the router.
VLANs and uplink at the switch
Remember, at the switch, make the uplink port a tagged port (a vlan trunk in Cisco terminology), so the uplink connection to the router will pass all the vlans traffic to the router. Read this to learn a bit about the differences in terminology between Cisco and the 802.1q standard.
VLANs everywhere, or just some places? (Gripe Section)
The network I’m reconstructing has around 60 nodes, and it’s already split into two networks. I want to connect the entire thing into one giant LAN, then separate it into VLANs. The only problem is, there might not be adequate wiring to do this, as some things have changed between the planning phase and execution phase, as usual.
If, as noted above, ports P3 and P4 aren’t really on the same switch, and it doesn’t pass vlan traffic across the two segments, then I’m in trouble. (And even if it does – will passing that much traffic burn out the ports?) So now I have to contemplate using two physically separate networks. The big pain in the butt is that now, if I put a node on network 1, it cannot participate in network 2, and vice versa.