Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
In the last 2 weeks we've migrated into Sophos, and away from a very old Sonicwall and a questionably 3rd party maintained GravityZone arrangement.
So far, beyond some small teething issues, it's been pretty smooth and almost everything is up and running.
The one piece of kit I've got left that's not quite playing ball is our WiFi AP, which in order to provide signal is upstairs (my comms space is downstairs behind some Georgian era stonework, so the XG's wifi might as well be dead for all the signal that's getting out) - but I digress.
Our config at the moment is:
Port1 - LAN > HP ProCurve > Rest of the office (with our DC providing DHCP for the corp hardline & wifi)
Port2 - WAN > Primary Broadband
Port3 - WAN > Failover Broadband
Port4 - Unused
The Sophos XG is plugged into the ProCurve on Port1, and the Zyxel Nebula AP is plugged into Port2 on the ProCurve, the Zyxel has 2 SSID's, one for corp, one for guest. Corp on VLAN1, Guest on VLAN10. The ProCurve is configured appropriately for the tagging.
The corp wifi works absolutely fine, no dramas there.
The guest wifi however doesn't, doesn't get an IP (machines default to a 169.254.xxx.xxx), and thus doesn't get traffic.
In the past, our old Sonicwall was providing DHCP just for VLAN10, and routing that straight to the outside world, with no crossover.
I'm trying to figure out how I do that on our XG. Referencing this: https://community.sophos.com/kb/en-us/123127 I'd thought to add the VLAN to Port1, but when I go to add a VLAN, it doesn't let me select that port. I assume because it's in a bridge.
I then read through this: https://community.sophos.com/kb/en-us/123508 - but I'm unclear if using 'set' would replace any other current set VLAN ID's? If I'm setting a VLAN, do I//Can I set multiple VLAN's? If so, what's the syntax to do so? I read through the CLI manual, but it wasn't any clearer on the topic.
Now the bridge seems rather redundant to me, it was made by the wizard during the initial config I assume, but I'm not clear on what the Interface:Sophos, Zone:LAN entity is really for? I'd assumed something to do with Sophos Central perhaps, or the native Sophos WiFi, but if that's the case, why is the zone LAN instead of WiFi?
Additionally - I'm not clear on how I'd delete the bridge to re-configure Port1 as a standalone without losing all connectivity to the device?
Could I do it via an alternative connection and Sophos Central? Assuming that Central wouldn't need Port1, as it would be connecting in via WAN?
Any input would be welcomed.
Hi Rob Brown1 You can run the wizard again and deploy the XG in gateway mode to achieve your configuration.You can delete the bridge interface as well.https://community.sophos.com/products/xg-firewall/f/network-and-routing/95064/how-to-delete-a-bridge-and-still-access-devicehttps://community.sophos.com/products/xg-firewall/f/initial-setup/101782/how-to-split-initial-br0-interface-into-lansGiven community threads will help you further
In reply to Keyur:
Re-running the wizard would be nice if it was day 2, but it's not, it's 2 weeks down the line and we've got most of our rules, VPN etc all in place. So that's not a viable solution.
I'll give Speatech's solution a try this evening.
In reply to Rob Brown1:
Hi Rob Brown1,I understand the point you are making, I will try to get more details as per your scenario.
Took a while to get the office to clear out enough so I could take a run at this issue.
Seems I'd overly worried about clearing the bridge though.
Using alternative comms, I did it all via Sophos Central, got the bridge deleted, reconfigured Port 1 with the right IP - and everything in-house was offline for just a couple of minutes.
Now I've gotten the vLan setup, got a firewall rule in place:
Accept any service going to "WAN" zone, when in "WiFi" zone, and coming from "#Port1.10" network, then apply log connections
Source networks and devices : #Port1.10During scheduled time : All the time
Destination networks : AnyServices : Any
Source : Minimum heartbeat is No restriction, Clients with no heartbeat allowedDestination : Minimum heartbeat is No restriction, Request to destination with no heartbeat allowedMasquerading is ON
(Plus a mirror of the rule for ingress)
And I've got a routing rule in place:
Port1.10-192.168.10.1, Any Source, Any Destination, Any Services > Gateway: Port3 (Our BT failover)
All done and dusted, operation restored.
aaaand, I need to sleep more.
Had missed mirroring the traffic out for traffic in...
It's all working now.