Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 5688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Noobish Network Guy Looking for Help with Guest wifi on Seperate VLAN

Dan Hansen

This is likely a very simple problem but being a beginner networking \ firewall guy I'm having some trouble.  

 

Background:

 

Two Sophos UTM 135 Firewalls configured in HA active \ Passive Mode.

 

VLAN's involved:

 

Default VLAN which is VLAN 1 for us. - Network involved 192.168.0.0/24

Guest Wifi VLAN which is VLAN 20 - Network involved 10.0.20.0/24

 

I have a few VLAN's set up but the one in question I'm working with is VLAN 20 which is a guest wifi VLAN.  All of my networking and VLAN config on the switches appear to be working correctly. 

In fact I can get everything to work if I create a outbound rule allowing   Guest Wifi (Network) --->  Service "ANY" -->  "Any"

The fact that this is a guest Wifi network makes me prefer to only allow traffic out the external interface.  Or advice on the best way to go about this?  

The Rule I have in place currently is the following: Guest Wifi (Network) --->  Service "ANY" -->  "External (WAN) (Network)"

As soon as I change "Any" to "External (WAN) (Network)" for the destination of that rule all traffic starts getting blocked from wifi devices on the Guest Wifi network.   

 

Other items to note:

The UTM is running DHCP for this VLAN and that is working correctly. 

I have created a masquerading NAT rule with the following details Guest Wifi (Network) --> Uplink Interfaces. 

I have gone into the DNS tab under "Network Services" and allowed the Guest Wifi (Network)

 

Really what I want to do is provide a barrier between the guest wifi VLAN 20 and my internal LAN on VLAN 1.

Thoughts on where I am going wrong?

 

Thanks Guys,

Dan

 

 



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    two items,

    1/. VLAN 1 is the default management VLAN on most devices, so you should be maybe VLAN 2

    2/. The reason traffic stops when you change to WAN is because none of your traffic is going to that IP address.

     

    To block access to your local network create a rule at the top that blocks traffic between the two networks - source vlan 20 -> any -> vlan 2 - > drop.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks Ian!  That worked perfectly.  Appreciate the help!

     

    I'm stuck with VLAN 1 for a bit but I agree it seems to be the consensus it shouldn't be used.  

     

    Dan

  • 0 in reply to Dan Hansen

    Hi Dan and welcome to the UTM Community!

    VLAN 1 is reserved in the UTM for Wireless Protection, so you will want to do as Ian suggests.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes please Balfson, greatly appreciated!  I'll send over a PM shortly.

Reply Children
No Data
Unfiltered HTML