vLAN tagging with Zyxel Nebula

In the last 2 weeks we've migrated into Sophos, and away from a very old Sonicwall and a questionably 3rd party maintained GravityZone arrangement.

So far, beyond some small teething issues, it's been pretty smooth and almost everything is up and running.

The one piece of kit I've got left that's not quite playing ball is our WiFi AP, which in order to provide signal is upstairs (my comms space is downstairs behind some Georgian era stonework, so the XG's wifi might as well be dead for all the signal that's getting out) - but I digress.

Our config at the moment is:

Port1 - LAN > HP ProCurve > Rest of the office (with our DC providing DHCP for the corp hardline & wifi)

Port2 - WAN > Primary Broadband

Port3 - WAN > Failover Broadband

Port4 - Unused


The Sophos XG is plugged into the ProCurve on Port1, and the Zyxel Nebula AP is plugged into Port2 on the ProCurve, the Zyxel has 2 SSID's, one for corp, one for guest. Corp on VLAN1, Guest on VLAN10. The ProCurve is configured appropriately for the tagging.

The corp wifi works absolutely fine, no dramas there.

The guest wifi however doesn't, doesn't get an IP (machines default to a 169.254.xxx.xxx), and thus doesn't get traffic.

In the past, our old Sonicwall was providing DHCP just for VLAN10, and routing that straight to the outside world, with no crossover.

I'm trying to figure out how I do that on our XG. Referencing this: https://community.sophos.com/kb/en-us/123127 I'd thought to add the VLAN to Port1, but when I go to add a VLAN, it doesn't let me select that port. I assume because it's in a bridge.

I then read through this: https://community.sophos.com/kb/en-us/123508 - but I'm unclear if using 'set' would replace any other current set VLAN ID's? If I'm setting a VLAN, do I//Can I set multiple VLAN's? If so, what's the syntax to do so? I read through the CLI manual, but it wasn't any clearer on the topic.

Now the bridge seems rather redundant to me, it was made by the wizard during the initial config I assume, but I'm not clear on what the Interface:Sophos, Zone:LAN entity is really for? I'd assumed something to do with Sophos Central perhaps, or the native Sophos WiFi, but if that's the case, why is the zone LAN instead of WiFi?

Additionally - I'm not clear on how I'd delete the bridge to re-configure Port1 as a standalone without losing all connectivity to the device?

Could I do it via an alternative connection and Sophos Central? Assuming that Central wouldn't need Port1, as it would be connecting in via WAN?

Any input would be welcomed.

  • In reply to Keyur:

    Hi Keyur,


    Re-running the wizard would be nice if it was day 2, but it's not, it's 2 weeks down the line and we've got most of our rules, VPN etc all in place. So that's not a viable solution.


    I'll give Speatech's solution a try this evening.

  • In reply to Rob Brown1:

    Hi Rob Brown1,

    I understand the point you are making, I will try to get more details as per your scenario.

  • In reply to Keyur:


    Took a while to get the office to clear out enough so I could take a run at this issue.

    Seems I'd overly worried about clearing the bridge though.

    Using alternative comms, I did it all via Sophos Central, got the bridge deleted, reconfigured Port 1 with the right IP - and everything in-house was offline for just a couple of minutes.

    Now I've gotten the vLan setup, got a firewall rule in place:


    Accept any service going to "WAN" zone, when in "WiFi" zone, and coming from "#Port1.10" network, then apply log connections

    Source & schedule

    Source networks and devices : #Port1.10
    During scheduled time : All the time

    Destination & services

    Destination networks : Any
    Services : Any

  • In reply to Rob Brown1:

    aaaand, I need to sleep more.


    Had missed mirroring the traffic out for traffic in...

    It's all working now.