How do I have one SSID bridged to AP LAN and one SSID bridged to VLAN?

Hello All:

I'm not sure if people still need an answer to this or not, but I have figured it out on my own. Yes, I did search around a little on the internet for a "quick" response, but after finding several post with people having the same issues but no answer, I figured I would post "the answer" or the "answer" that I did, here, and worked. 

First, I have Sophos 9.414.2 running at home on a physical small form factor machine. I have 2 switches (Cisco SG300 28P) and one of the two is set up as a Layer 3. In order to get WWW access, for a few that I saw wondering how to do it. I set an IP on the LAN Interface (10.143.9.1/32) and created a "Static Route" on the Sophos for my Internal LAN (10.143.8.0/24) as the "Network" with the Gateway being at "IP Default Gateway" of my VLAN 9 (10.143.9.254). On my Layer 3 Switch, you create a VLAN (ex: VLAN 9) and assign it a static IP of 10.143.9.254 (for my example). Then I created a route that says "ip default gateway 10.143.9.1". As long as you created the Static Route correctly, this will allow you to reach the Sophos box from VLAN8. You will need to do this for each and every VLAN you create. 

Please note, this is only needed if you are not using the Sophos box as a Layer 3 (your router). I do not for internal bandwidth. If I use the Sophos box as my L3, I am limited to the 10/100/1000 port (depending on the nic) vs using the internal switch bandwidth. I believe the SG300 is something around 56Gbps, FYI. 

Anyways, back to the WAP topic. I am, using the Sophos 55C. 

First, I do NOT like how you cannot SSH, access a web interface OR set a DNS (A Record) like how you can with Ruckus when being on a L3 Network. With Ruckus, you can enter in a "zone record" for "zonediretor.example.local" on a L3 network and it will find the Zone Director. I could not find any information on doing this with Sophos WAP (55-C). So in order to get the WAP to get connected to the Sophos box I did the following. 

I first plugged in the WAP in to a port (Port 18) on my NON-L3 switch (P.S. both of my switches are POE). Then I logged in to the None-L3 switch and created a VLAN that the Sophos box is on (VLAN9). I then tagged the traffic on the Uplink LACP Trunk that goes over to the L3 switch. I set the L3 switch LACP Trunk to accept the Tagged traffic. I logged in to the Sophos box and created a DHCP for the "Internal-LAN" (10.143.9.0) and waited. Finally, after about 3 minutes or so, the WAP showed up on the Sophos under "IP4 Address Table". 

I then went down to "Wireless Protection" -> "Access Points" and then adopted (sounds like Ubiquiti Networks) the AP and let it get communicated. 

Now I ran in to a problem where I was creating a SSID / Network and attempted to "Bridged to VLAN" and was receiving an error. I know "Bob" says not to do this, but at this time I could not see any way around it OTHER than putting ANOTHER NIC in the box, create an Interface in Sophos and tag the traffic on the L3 (or L2) switch in a way so that the AP's can communicate with Sophos FW. So what I DID, is I click on "Wireless Protection" -> "Access Points" -> "Edit" -> "Advanced" then tagged the AP traffic on VLAN1. When you do this, it will reboot the AP but it will come back online in a few minutes. No need to do anything else on a switch or otherwise for the AP to show back online. 

After that is/was done. I was able to create a "Wireless Network" and assign it to the WAP. Where I ran in to a problem was with DHCP, my iPhone (or MacBook Pro) was able to get a DHCP IP. So I sat here and "thought" about it. I was thinking to myself, well the Sophos box is on VLAN9, and I am trying to create a "Guest" network but use my existing "Guest Network" and not let Sophos manage it because A.) my L3 was my router and B.) I have extended ACL's to block traffic between my "Home" (VLAN8) VLAN and every other VLAN I have. Basically I do NOT want my Guest talking to anything other than the Internet. Again this doesn't apply to you IF you are using the Sophos as your L3 box. Anways, let's continue. So I created an "Interface" on the Sophos (Ethernet-VLAN) and tick the box for "Dynamic" (to test if it was receiving an IP + I could care less about setting it static) and enter in the VLAN ID # of the Guest Network (VLAN7). I then logged in to my L3 switch and tagged on the port that the Sophos box is plugged in to (Port 24) for VLAN7. I went back over to Sophos -> Interfaces -> Renew the IP to see if the Sophos Sub-Interface received an IP - IT DID!! Once I did that, I had to go back to "Wireless Protection" -> "Create SSID/Network" -> Named my Network -> Advanced -> "Bridged to VLAN" and entered in 7 (for VLAN7). Then I had to go back to "Wireless Protection" -> "Global Settings" -> Clicked on Folder in the upper right hand corner and add the new sub-interface (VLAN7 - Guest Network) or whatever you named it to grant the Wireless to have access to this particular network. I went back to my iPhone, renewed the IP and bam - it worked. 

Please note, on the L2 switch. The VLAN must be created in advance and the traffic HAS to be tagged on the port that the AP is plugged in to. I am just going to assume you know how to do VLAN, DHCP, Routes, etc. BEFORE performing / creating SSID with VLANs, etc. 

But I assure you it works and at least on this software / ISO. There is no issues, just a little thinking outside of the box. I hope this helps someone. I know it's a lot of informastion but I assure you that it works! 

Hello All:

I'm not sure if people still need an answer to this or not, but I have figured it out on my own. Yes, I did search around a little on the internet for a "quick" response, but after finding several post with people having the same issues but no answer, I figured I would post "the answer" or the "answer" that I did, here, and worked. 

First, I have Sophos 9.414.2 running at home on a physical small form factor machine. I have 2 switches (Cisco SG300 28P) and one of the two is set up as a Layer 3. In order to get WWW access, for a few that I saw wondering how to do it. I set an IP on the LAN Interface (10.143.9.1/32) and created a "Static Route" on the Sophos for my Internal LAN (10.143.8.0/24) as the "Network" with the Gateway being at "IP Default Gateway" of my VLAN 9 (10.143.9.254). On my Layer 3 Switch, you create a VLAN (ex: VLAN 9) and assign it a static IP of 10.143.9.254 (for my example). Then I created a route that says "ip default gateway 10.143.9.1". As long as you created the Static Route correctly, this will allow you to reach the Sophos box from VLAN8. You will need to do this for each and every VLAN you create. 

Please note, this is only needed if you are not using the Sophos box as a Layer 3 (your router). I do not for internal bandwidth. If I use the Sophos box as my L3, I am limited to the 10/100/1000 port (depending on the nic) vs using the internal switch bandwidth. I believe the SG300 is something around 56Gbps, FYI. 

Anyways, back to the WAP topic. I am, using the Sophos 55C. 

First, I do NOT like how you cannot SSH, access a web interface OR set a DNS (A Record) like how you can with Ruckus when being on a L3 Network. With Ruckus, you can enter in a "zone record" for "zonediretor.example.local" on a L3 network and it will find the Zone Director. I could not find any information on doing this with Sophos WAP (55-C). So in order to get the WAP to get connected to the Sophos box I did the following. 

I first plugged in the WAP in to a port (Port 18) on my NON-L3 switch (P.S. both of my switches are POE). Then I logged in to the None-L3 switch and created a VLAN that the Sophos box is on (VLAN9). I then tagged the traffic on the Uplink LACP Trunk that goes over to the L3 switch. I set the L3 switch LACP Trunk to accept the Tagged traffic. I logged in to the Sophos box and created a DHCP for the "Internal-LAN" (10.143.9.0) and waited. Finally, after about 3 minutes or so, the WAP showed up on the Sophos under "IP4 Address Table". 

I then went down to "Wireless Protection" -> "Access Points" and then adopted (sounds like Ubiquiti Networks) the AP and let it get communicated. 

Now I ran in to a problem where I was creating a SSID / Network and attempted to "Bridged to VLAN" and was receiving an error. I know "Bob" says not to do this, but at this time I could not see any way around it OTHER than putting ANOTHER NIC in the box, create an Interface in Sophos and tag the traffic on the L3 (or L2) switch in a way so that the AP's can communicate with Sophos FW. So what I DID, is I click on "Wireless Protection" -> "Access Points" -> "Edit" -> "Advanced" then tagged the AP traffic on VLAN1. When you do this, it will reboot the AP but it will come back online in a few minutes. No need to do anything else on a switch or otherwise for the AP to show back online. 

After that is/was done. I was able to create a "Wireless Network" and assign it to the WAP. Where I ran in to a problem was with DHCP, my iPhone (or MacBook Pro) was able to get a DHCP IP. So I sat here and "thought" about it. I was thinking to myself, well the Sophos box is on VLAN9, and I am trying to create a "Guest" network but use my existing "Guest Network" and not let Sophos manage it because A.) my L3 was my router and B.) I have extended ACL's to block traffic between my "Home" (VLAN8) VLAN and every other VLAN I have. Basically I do NOT want my Guest talking to anything other than the Internet. Again this doesn't apply to you IF you are using the Sophos as your L3 box. Anways, let's continue. So I created an "Interface" on the Sophos (Ethernet-VLAN) and tick the box for "Dynamic" (to test if it was receiving an IP + I could care less about setting it static) and enter in the VLAN ID # of the Guest Network (VLAN7). I then logged in to my L3 switch and tagged on the port that the Sophos box is plugged in to (Port 24) for VLAN7. I went back over to Sophos -> Interfaces -> Renew the IP to see if the Sophos Sub-Interface received an IP - IT DID!! Once I did that, I had to go back to "Wireless Protection" -> "Create SSID/Network" -> Named my Network -> Advanced -> "Bridged to VLAN" and entered in 7 (for VLAN7). Then I had to go back to "Wireless Protection" -> "Global Settings" -> Clicked on Folder in the upper right hand corner and add the new sub-interface (VLAN7 - Guest Network) or whatever you named it to grant the Wireless to have access to this particular network. I went back to my iPhone, renewed the IP and bam - it worked. 

Please note, on the L2 switch. The VLAN must be created in advance and the traffic HAS to be tagged on the port that the AP is plugged in to. I am just going to assume you know how to do VLAN, DHCP, Routes, etc. BEFORE performing / creating SSID with VLANs, etc. 

But I assure you it works and at least on this software / ISO. There is no issues, just a little thinking outside of the box. I hope this helps someone. I know it's a lot of informastion but I assure you that it works! 

Hi,

i am still trying to get this done. We have a Sophos SG550 HA Cluster at work with about 30 RED15w connected. 

At our main office, we do have APs from Alcatel-Lucent, connected to an Alcatel-Lucent Appliance. There we have a Wireless Network, lets say, "1859". All traffic, coming from this SSID lays on VLAN 1859. With ip-helper, wireless clients DHCP requests from this VLAN are going to the SG550, where we also have tagged VLAN 1859. The SG550 is forwarding the DHCP requests to our Windows DHCP Servers. Works great.

On out SG550 i have also created the Wireless Network called "1859" with the exact same settings as above.

At our branch offices, we are using RED15w and i can activate this SSID "1859", bridged to VLAN 1859, without activating "VLAN tagging" under "Advanced". Clients can connect to this SSID and they are getting an IP Address.

On some branch offices, we also have AP55 and AP15 connected to the RED. As soon, as i am trying to enable SSID "1859" the error of this thread comes up.

Now i am playing around with "VLAN tagging" in the Access Point configuration. Still not working.