Wireless Hotspot Device Exeption



I have set up Sophos UTM  9.411-3. I have connected it to a TP-Link Access point and have set up an Internal wireless network & Guest Hotspot network. Both work fine and the hotspot webpage works when users connect to the guest network.


However i have some devices (games consoles, mobile phones etc) which i want to be connected to the network all the time but not on the internal network. How would i do this?


Many Thanks

  • Hi, Philip, and welcome to the UTM Community!

    I think you haven't gotten an answer because it's not clear exactly what you're asking...

    "i have some devices (games consoles, mobile phones etc) which i want to be connected to the network all the time but not on the internal network."

    By that do you mean that you want those devices to be able to connect via WiFi to the Internet?  Are any (like the game consoles) connected via Ethernet cable to your internal network?  Can you add another Ethernet NIC to your device running UTM?

    "Internal wireless network & Guest Hotspot network."

    By that, do you mean that the TP-Link AP has the capability of two (and only two) separate WiFi SSIDs/networks and that you have bridged your Internal network with the Internal wireless network?  How does the TP-Link separate the traffic - using VLANs?  If so, what VLAN tags are you using?

    Cheers - Bob

  • In reply to BAlfson:

    Thanks for your reply Bob,


    Yes, i would like to connect these devices wirelessly to the WAN without connecting to Internal or requiring a code because of the hotspot.


    No the TP-Link has the capability of up to 4 SSID's. Traffic for internal wireless & guest wireless is separated via VLANS. Internal is VLAN 43 and Guest is VLAN 44.


    Many Thanks

  • In reply to Philip Wrangles:

    Hey Philip.

    It's fairly simple, actually. Create another VLAN interface on Sophos UTM and another SSID on TP-LINK bound to the same VLAN. Then configure DHCP server, firewall rules and web protection profiles as required, much like you have for your internal network. Also, don't forget to create a masquerade NAT to the new VLAN.



  • In reply to giomoda:

    Hello Giovani,

    Thank you for the response. I too thought this would work! However when I set up another port group on VMWare ESXI with another vlan number and added the NIC to sophos I lost all communication. I had to plug directly into the firewall to get into WebAdmin. It appears that an error occurs on the WAN interface. After looking in the logs I can see sophos is complaining of a Configuration change.

    Many thanks

  • In reply to giomoda:

    I found a similar thread with the same issues regarding addition of NICS



  • In reply to Philip Wrangles:

    It was working before, right? You already had three interfaces, one for WAN with no VLAN tags and two for LAN and Guest, with VLAN tags, right?

    Perhaps your interfaces got reordered when you added another VLAN interface on the VM. It used to be a problem with ESXi. I don't know if this still happens as I have very little contact with ESXi.

    Check this and see if it helps you.

    Regards - Giovani



  • In reply to giomoda:



    I have tried to look into that additional tread you shared however i fail at the first step.


    When SSH'ed to VMWare, the commang "cd /etc/udev/rules.d" fails as the udev path doesnt exist.



  • In reply to Philip Wrangles:

    No, you got it wrong. SSH into the UTM or use the VM console.

    Regards - Giovani

  • In reply to giomoda:

    Ah thanks Giovani, However again the folder doesnt exist on the Sophos UTM.


    Kind Regards - Philip

  • In reply to Philip Wrangles:

    Philip, I don't see how this would be possible. This is a core linux system component. Would you care to share some screenshot of what you are doing?

    Regards - Gioovani

  • In reply to Philip Wrangles:

    Maybe you need a little background on using cd on Linux.

    Repeat the first command, but this time put a space between "cd" and "/etc/udev/rules.d".

    reagrds - Giovani

  • In reply to giomoda:

    Must not be my day today!


  • All of your customer connections to the wireless system will be going out through your main internet connection. You will need sufficient bandwidth, which is generally not an issue unless you are also providing telephone service to your customers. But you will need to check with your internet provider (try reading the terms and conditions) to see if they have any restrictions on how many people can be connected to your system. The cable people are the most fussy; we haven't heard of any issues with DSL lines or satellite service.



  • In reply to Philip Wrangles:

    So, I'm again confused, Philip.  If you added an additional NIC to the VM in which the UTM is installed, then you will need to reboot the UTM before it will recognize the added NIC.  If the added NIC is different (e.g., E1000 instead of VMXNET3), then you will have to re-install from ISO as the UTM is not plug-n-play.  If this is ESXi, you will want to avoid the other NIC types and use VMXNET3.

    In any case, you shouldn't have needed an additional NIC in the VM hosting the UTM, just a new Interface definition in WebAdmin.

    Cheers - Bob