This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How-to?... configuring a Sophos AP 15 for use on a separate dedicated ethernet NIC

I purchased a Sophos AP 15 and didn't see any how-to for connecting and configuring the AP to a third unused ethernet port for use with UTM 9.5.

I have a dual port gigabit network card that I am using for my WAN and LAN interfaces. I would like to use the Sophos AP 15 on the third on-board ethernet port (Realtek) so that I am not tying up a port on my switch for the AP. Is there a way to do this? What configuration needs to be done so that the AP is on the 192.168.X.X range and not the 172.16.X.X range?

 

My default gateway is set to 192.168.2.1, therefore I would like the AP to be 192.168.2.2, but not sure if I need to bridge the LAN and wireless interfaces together, or some type of NAT masquerading. I downloaded the "Sohpos wireless Access point operating instructions", but it didn't mention about assigning the IP address range.

 

I assume the IP address of the access point should be outside the DHCP pool, but can the DHCP address range for the wireless interface be the same for the LAN interface, or seperate?



This thread was automatically locked due to age.
Parents
  • Please give us more information on where and how your nic's are connected. You do know that you need a Sophos UTM for the Sophos access point to be usable do you?

    Can you make a quick drawing on how your network looks including UTM, NIC's and IP-ranges in use so we can help you more effectively.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you for the reply. I am running the Sophos UTM 9.5 software. After hours of attempting to configure this Sophos AP 15 manually, I finally gave up and stayed on the SophosGuest, but I had to connect it to the switch going to the LAN port of my dual port Intel NIC, instead of the unused Realtek NIC. Therefore the the AP15 works and is a configuration issue. The AP is running on the 172.16.28.1/24 network using the wlan0 remote wireless network instead of the eth2 (Realtek adapter). I would like to reconfigure the Sophos AP15 to use the Realtek adapter NIC, but not sure if I can stay with the Separate Zone, or if I have to use Bridge to AP Lan.

     

    In the Interfaces and Routing, the wireless guest network can use either:

    Type: Ethernet/Ethernet Bridge,

    Hardware: wlan0, eth2 (Realtek)

     

    And in wireless protection>Wireless Networks:

    Client traffic: Separate Zone, Bridge AP to LAN

     

    Assuming I want to stick to a separate zone, could I just switch the wireless guest Network to use eth2 (instead of wlan0) and not have to bridge AP to LAN?

  • Somehow I eventually managed to get it to work. After the AP was setup and working when connected to my switch, I went into Interfaces and Routing>Interfaces>Wireless Guest Network and changed "Hardware" from wlan0 to eth2 and kept the 172.16.28.1 static IP address. then I disconnected the AP and connected it to the Realtek eth2 interface port, then I changed the firewall rule for the Wireless Guest Network allowed services from "Web Browsing" to "Any".

    Then changed the Wireless Protection>Wireless Networks client traffic type from "Ethernet" to "Bridge to AP LAN".

     

    The only issue now is I'm getting the dreaded 72.2 Mbit/s cap, even with encryption set to AES. This seems to be a common problem for these wireless APs. I'm also dissapointed at the lack of features the AP has to offer. The last router I used as an access point could choose between 20Mhz and 40Mhz channels.

  • I'm not sure whether you've done now is the way it's supposed to work, but configuration should have been a lot easier going like this:

    In Wireless Protection -> Global Settings under allowed interfaces add the interface (in your case eth2) as an interface that is allowed to host access points. Eth2 first has to be allocated as a hardware nic to a logical Interface (just as WAN and Internal are logical interfaces for the underlying eth0 and eth1).

    If you then connect a (new or not yet configured) Sophos AP to this interface, you will see it as a pending access point in Wireless Protection -> Access Points where you can enable it and attach SSID's to it (you can attach multiple SSID's to every AP).

    If an SSID is "Brdiged to LAN" it will inherit the settings of the network interface the AP is connected to, if you configure an SSID as a Separate Zone, a new logical interface will be created where no physical nic is needed (it will be called wlan#, where # can be any number).

    By doing this you can simply setup 1 access point for both a Guest network and a network for your own (or even more if you like). In fact I think this is what you had before when wlan0 was the logical interface for you guest network. It's not really necessary to connect access points to their own physical interface.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I needed the wireless access point to be on it's own physical interface because I have an 8 port switch connected on my Internal network with 7 devices connected to it, and all 8 ports are used. Originally, I completely deleted the wireless guest network and tried to create a new wireless network from scratch following the administration guide, but the access point was always showing up as an inactive access point, and for whatever reason was not assigning IP addresses to any of the clients.

     

    Now, with the wireless access point connected to it's own physical interface, I think I have everything configured ok.

    Interfaces and Routing>Interfaces

    Wireless Guest Network on eth2 [172.16.28.1/24]

    Type: Ethernet

    Hardware: eth2

     

    Network Services>DHCP

    Wireless Guest Network [Range 172.16.28.100 through 172.16.28.150]

    DNS 1: 8.8.8.8 DNS 2: 8.8.4.4 Default Gateway:  172.16.28.1

     

    Wireless Protection>Global Settings

    Allowed Interfaces: Wireless Guest Network

     

    Wireless Protection>Wireless Networks

    SophosGuest (Bridged AP to LAN)

     

    If this is not the optimal setup for an AP connected to it's own physical NIC, then can you offer me more suggestions?

Reply
  • I needed the wireless access point to be on it's own physical interface because I have an 8 port switch connected on my Internal network with 7 devices connected to it, and all 8 ports are used. Originally, I completely deleted the wireless guest network and tried to create a new wireless network from scratch following the administration guide, but the access point was always showing up as an inactive access point, and for whatever reason was not assigning IP addresses to any of the clients.

     

    Now, with the wireless access point connected to it's own physical interface, I think I have everything configured ok.

    Interfaces and Routing>Interfaces

    Wireless Guest Network on eth2 [172.16.28.1/24]

    Type: Ethernet

    Hardware: eth2

     

    Network Services>DHCP

    Wireless Guest Network [Range 172.16.28.100 through 172.16.28.150]

    DNS 1: 8.8.8.8 DNS 2: 8.8.4.4 Default Gateway:  172.16.28.1

     

    Wireless Protection>Global Settings

    Allowed Interfaces: Wireless Guest Network

     

    Wireless Protection>Wireless Networks

    SophosGuest (Bridged AP to LAN)

     

    If this is not the optimal setup for an AP connected to it's own physical NIC, then can you offer me more suggestions?

Children
No Data