No WiFi-connectivity with 3rd party AP, only in router mode

Do you use 802.1q VLAN protocol? Because that's what Sophos is using.

Did you configure the default gateway on the x.x.6.100 and x.x.6.101 to point to the UTM on the (also statically configured) x.x.6.y interface?

And did you also configure masquerading rule for this subnet?

Indeed, I am using the 802.1q VLAN protocol and NAT rules are set (e.g. VLAN_WLAN -> Internal, or VLAN_WLAN -> external).

Could you go into more detail about the gateway? I cannot configure every client, e.gg some devices like a google chromecast have no management interface to do so, they just rely on getting an IP from the DHCP-Server. They were connected to the WiFi beforehand and WiFi credentials haven't changed (same SSID and same WPA2 Key).

Indeed, I am using the 802.1q VLAN protocol and NAT rules are set (e.g. VLAN_WLAN -> Internal, or VLAN_WLAN -> external).

Could you go into more detail about the gateway? I cannot configure every client, e.gg some devices like a google chromecast have no management interface to do so, they just rely on getting an IP from the DHCP-Server. They were connected to the WiFi beforehand and WiFi credentials haven't changed (same SSID and same WPA2 Key).

The 2 interfaces of the access point (2.4 and 5 GHz) have their own IP-addresses set. I suppose they are set as static addresses. In that case you should also configure the default gateway (which should be the UTM (on this VLAN interface). Also the UTM should have a statically configured IP-address in the x.x.6.x range (but if you have a DHCP server configured on the UTM, that should be okay).

Can you show picture of how the VLAN interface on the UTM is configured and also a picture of the DHCP server for this interface?

When using DHCP there's no need to manually configure each wireless client (so should be no problem for chromecast and other devices).

The two WiFi Bands have their own static IP set in UTM:

Concerning the default gateway: Isn't the UTM always the x.x.x.0 of each interface I create? My UTMs IP is 10.2.3.4, but the VLAN_WLAN interface is set to 10.2.6.60:

Then the DHCP server is using that interface and has a certain range of IPs (note that the static IPs are out of the range!). The default gateway is set to the interfaces' IP address, as well as the DNS server 1.

I'm happy to improve all those settings if anything isn't properly configured!

Thank you in advance!

In a /24 network the address x.x.x.0 is always the network address (this address cannot be associated with any client) and x.x.x.255 is always the broadcast address which also cannot be assigned to any client. But in your DHCP settings everything seems fine related to the gateway (10.2.6.60 which is also the VLAN interface address of the UTM). 

I do see one thing tough.... Your UTM interface has 10.2.6.60 and 10.2.6.60 is also your first address in the DHCP scope. This could theoretically lead to 10.2.6.60 being handed out to another client, so it's better to change the start address to 10.2.6.61. Other than that, everything looks fine, so maybe time to further dig in your switch and to what kind of ports all your equipment is connected.

Can you check if any device connecting to wifi gets an IP-address in the 10.2.6.x range? If none get an address, than I suspect something on your switch is not configured as it should.

The switch connected to your UTM eth0 should use a tagged VLAN6 port to connect to the UTM, since UTM also uses tagged packets. Then most likely the access points need to be connected to an untagged port which is also in VLAN6 on the switch. (I say most likely since by default access points are not configured as tagged (VLAN) devices. If in your case they are, then the switch ports where the access point is connected should also be a tagged VLAN6).

Does this give you enough information to further check what might be wrong?