Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 2406 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest WLAN Options with non Sophos AP

Sally

Hello,

 

I have on my UTM 4 Ports in use, LAN, WAN, DMZ1, and DMZ2. I have an Access Point (non Sophos) in the LAN Network. As i  understand, i cant use the Sophos Access Point Management for my AP. I would like to setup an Guest Network so separate this Network from the LAN Segement, and setup different Firewall Rules.

 

As all the Ports are used on my Sophos, what would be the Option to setup the Guest Network?

 

Thx

Sally



This thread was automatically locked due to age.
  • 0

    Vlan's would be your best option.  I use 2 rt-ac68u equivalents (one real, other a netgear r7000 flashed with merlin's firmware fork) in opposite corners of the house.  Both have a guest wifi with limit web use configured.  This guest wifi is bound to a vlan separate from the main wifi binding.  By default, I believe guest wifi only uses a different ssid, but the network ip assignments are in the same subnet as nonguest wifi (which defeats the purpose of having guest wifi in the first place!@#).

    Anyway, the setup was convoluted.  I had to define separate vlans on the rt, along with ebtables commands to isolate the guest wifi from the any guests on the same wired vlan.

    Read more here - https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410 , posts by gpz1100

  • 0 in reply to Jay Jay

    Hi Jay Jay,

     

    thanks for the Information. I was wondering If I can setup the VLAN on the DDWRT Router, and control the access on the Sophos UTM with the Firewall. All the Ports on the Sophos UTM are connected, and the AP Point has an Internal LAN Address. Can I change the Internal LAN Ethernet on the Sophos to Ethernet VLAN?

     

    When changing to Ethernet VLAN (LAN Network) do I need also a managed Switch for this, to to set Internal Traffic as untagged, and traffic from DDWRT Guest WLAN to tagged ?

     

    Thx

    Sally

  • 0 in reply to Sally

    I'm unfamiliar with how to set up vlan's using ddwrt. You'll need to do further research.  On this end, UTM does handle everything else, dhcp, dns, etc for the vlan.  On utm define a vlan interface as a subinterface of the lan interface. You'll need to treat it as an independent interface, establishing masquerading , add it to web filtering and other functions (dns, dhcp, etc).

    You'll also need to pass it through the network somehow.  I have all vlans tagged off the main internal interface.  There's several switches (rt-ac68u's and r7000) in the home network.  Each has vlan0 as untagged and everything else tagged.  You'll have to bridge the guest wifi with the tagged vlan in ddwrt.  I don't recall being successful with ddwrt, which is why I ultimately reverted to merlin's firmware.

     

  • 0 in reply to Jay Jay

    Thanks Jay Jay for the Information. I have no Physical Port free anymore on my UTM. When I change the Ethernet LAN Interface to VLAN and set a VLAN Tag, does the Interface also still allow untagged traffic from the LAN, or just Tagged Traffic?

     

    Thx

    Sally

  • 0 in reply to Sally

    Hi Sally,

    when you add a vlan tag to an interface it will only transport tagged traffic. You can define multiple vlan-interfaces on one physical interface. You can use a managed switch to connect utm interface holding the vlan interfaces tu a trunk port of your switch and forward packets of a certain vlan untagged to all or some defined ports of the switch.

    Cheers

    Philipp

  • 0 in reply to Sally

    I think Philipp's answer above addresses your question well.

    Here's an example of vlan config on a basic netgear r7000 (in AP mode) with fork of merlin's firmware.

    -----------------

    admin@R7000:/tmp/home/root# robocfg show
    Switch: enabled
       1: vlan1: 0 1 3 4 5t
       3: vlan3: 0t 1t 2 3t 4t 5t
       4: vlan4: 0t 1t 2t 3t 4t 5t

    ---------------------------

    I have a single cable coming out of the utm for the local lan and its vlans.  This is connected to physical port 1 on the switch (vlan trunk).

    Numbers after vlan to physical ports:

    0 = physical port 1
    1 = physical port 2
    2 = physical port 3
    3 = physical port 4
    4 = physical port 5
    5 = switch internal port (required).
    t = tagged

    You can only have one untagged vlan (vlan1 in the example above) per physical port.

    Note vlan3, it's tagged on all physical ports but port 3.  The device connected to this port has no vlan capability.  But because it's trunked on a different port, communication still happens on vlan3 only.

    Google vlan and vlan trunks.  This might be a good starting point - https://en.wikipedia.org/wiki/Virtual_LAN .

  • 0 in reply to Jay Jay

    Thx, now its clear on the Router side for me, but how do I do this then on the UTM side?

    Sally

  • 0 in reply to Sally

    You need to define the interface, dhcp service, add vlan network to dns service allowed networks, web filtering, etc.  Basically any services you want utm to handle for the vlan.  It's like defining a separate network and services/rules for it.

Unfiltered HTML