Nerwork separate

Good afternoon,

Here's my problem.

I have a br01 bridge adapter, where I have configured my LAN through port 1. 192.168.1.x Gateway

I have created another zone to locate a separate WIFI network from the LAN. The network configuration is 192.168.20.x.

I have enabled in the firewall a rule that allows access from the WIFI zone to the LAN zone.
And another in the upper part denying the range of ips of the WIFI zone to the LAN. And this rule has no effect.

If I make pin to any host of the network 192.168.1.x does not arrive.

So far so good.

The problem comes when I ping the gateway of the LAN, this is correct (OK).

What I wanted was that these two networks would never see each other. And that the WIFI zone only has exit towards internet.

I don't know if I'm skipping something.

I would appreciate your help.

Translated with

  • Your top rule is blocking everything from the wifi to the LAN. Try disabling the top rule and test again.


  • Hi  

    If you want to stop communication between WifiZone and LAN zone, you required to configure firewall rule and select zones and "Drop" the firewall action and it will drop all the traffic and both the zone not able to communicate with each other. Place the firewall rule on top.

  • In reply to Keyur:

    Indeed, what I want is to block access from the WIFI network to the gateway ( of the LAN.
    Since I have achieved that the wifi network is not seen with any HOST of the LAN.
    Next I show you some screenshots of my configuration:

    What I would like to achieve is that the LAN and the WIFI network are independent.
    I don't know what I'm doing wrong.


  • In reply to Angel Masa:

    Try moving your wifi rule up to the second position, I suspect your LAN any is affecting traffic because normally wifi is in a LAN zone.

    Also use the log viewer to see which rule the traffic from the wifi is using?


  • In reply to Angel Masa:

    If your goal is to have two independent networks, in this case a LAN and WiFi subnet and zone, that can access the internet but not each other, you don't need a Deny rule like you have. You can delete the top rule. The two rules you need for internet access you have already created:

    • #Default_Network: This allows any host from your LAN zone to access any host in the WAN zone.
    • WiFi to WAN: This allows any host from the WiFi zone to access any host in the WAN zone.

    As I mentioned above, you do not need a Drop rule like you have. By default, the WiFi zone cannot access the LAN zone unless you explicitly create a rule. This is because unless you have a rule that allows traffic between your WiFi and LAN zone, it will be dropped by rule 0, the implicit default drop rule in Sophos XG (this is hidden). However, that's not completely true as it depends on what Local service ACLs you have enabled. Go to 'Administration' -> 'Device access' and check your Local service ACL. If you have anything enabled for the WiFi zone like DNS, that is going to allow your WiFi zone to access the Sophos XG DNS service. If you want to completely isolate your Sophos XG device from the WiFI zone, uncheck all of the Local service ACLs for your WiFi zone. Just be aware if you are using Sophos XG as your DNS service from the WiFi zone, it obviously will no longer work since you disabled access to it. You can just setup the WiFi DHCP server to use a public DNS like Google or Cloudflare (e.g.