Can you bring an advice for security wifi?

Hi, good day.

 

I have a router that has bandwidth control and ip groups, this is very usefull for me. From the router i take the Internet service to a port on my Sophos Firewall (its a dell optiplex server with 3 lan ports). This PORT 1, works on the firewall as WAN, a second port PORT 2 works as LAN and here goes to the main switch (a cisco 48 ports), then the third port PORT 3 works also as LAN but on the zone WIFI. I do a bridge with this 3 ports and works great. 

 

The problem comes here:

Note: Main router has the ip 192.168.110.1/255.255.0.0, DHCP: 192.168.111.10-199 (192.168.110.2-254 are for static ip for some groups)

LAN ZONE (wired): all devices are free of any authentication (captive portal). Usually DHCP but static ip in some cases. Works ok.

LAN ZONE (wifi - ap connected without dhcp): the devices get also the ip from the main router (cuz im using relay), when i set up the firewall rules, i choose an ip group to ask for an user through a captive portal WHEN the source zone is wifi. If a device connects to the any of this AP, gets an ip on the range 111.10-199 and the firewall ask for a valid user. For me this works ok.

WIFI ZONE (wifi - routers with dhcp on the range 192.168.110.11-12):  When a device connects to this, gets an ip on the range 192.168.1.100-199, and ask for a valid user. This is ok, but the problem comes when a second device connects, cuz the firewall doesnt ask for any user. I understand this is because it verify the ip of the router, not the ip of the client. So here is what i dont know how to solve. I have been thinking about the option to set up the sophos dhcp server only for the wifi zone or for the PORT 3 that in my case if for the wifi zone, but looks it is not possible or i dont know how to make it.

 

Does anybody has any advice? thanks.

 

BTW: i have an extra port (PORT 4), that i could make maybe another bridge with port 4 and 3 to work only with the WIFI zone if necesary.

 

  • In reply to David Birdsall:

    Hi, thanks for your time. Actually im able to use restrictions with the firewall rules, i dont understad why you say im bypassing the firewall with the bridge, if i dont do the bridge, the ports dont get the internet service or any connections (i should review this again just to make sure), but, here are my list of rules. Thanks again.