Unacceptable Guest WiFi Performance; Regular WiFi is OK

I have an XG 125 with an AP55C and AP55.  Full signal strength throughout the entire building.

My Guest WiFi experience is horrible, and Sophos support doesn't seem to know why.  We're talking 1-2Mb/s slow when they are paying for 25Mb/s.  Their main internal WiFi that is bridged to AP LAN gets 25Mb/s.  But their guest wifi only gets 1-2Mb/s.  I am not throttling the traffic in any way.  I have tried only a 5GHz band, and only a 2.4GHz band, and different channels, etc... same result.  

One thing I did try that fixed the problem is changing Client Traffic from "Separate" to "Bridge to AP LAN".  For some reason keeping it separate is severely restricting the traffic, but I have no idea why... I obviously don't want to Bridge to AP LAN for a Guest network.  Has anyone had similar experiences with slowness when using a Separate client zone?  Is there a way to overcome it?  Please note that the problem still happens whether I set the zone to "Guest" (which I created), or "WiFi", or even "LAN".

I know my policies are too lax right now -- they are intentionally so until I get to the bottom of this slowness issue when using the Guest network.  I don't believe it's a policy issue because when I set the zone for the Guest network to be "LAN" or "WiFi" it uses the main LAN to WAN policy, and I know that policy works fine because my main Bridge to AP LAN WiFi network works flawlessly.  Soooo... why does choosing "Separate Zone" make my Guest WiFi slow to a crawl, and how do I fix it?

Here's some screenshots of my settings:

    Can you try with a private ip range (like you did for your LAN) and see if that changes anything ? as example

  • Hello Chris I see two options here to make things better. a) community.sophos.com/.../123881 b) As MTU on XG sep zone is fixed to 1450, you might change MSS on your WAN Interface to 1410 (or even lower) using the "Override MSS" Option in the advanced section of your WAN Interface. Sounds strange, but might help as workaround, as this clamps the MSS to a value working for both networks without fragmentation. /Sascha
    I wanted to ask you if the MTU hack solved your separated zone wifi problem.

    I have a Shuttle barebone with 2 network adapaters (WAN / LAN) and the MTU hack did neiter solve nor improved my wifi performance problem in separated zones.

    Any other idea?

    If I am correct 'Separate Zone' is a special case of VLAN - checking the log files, etc. regarding 'vxlan' entries.

    Did anyone try to solve this performance problem by using real VLANs instead of 'Separate Zone'?

    If anyone knows if this solves the problem, I would be willing to give it a try :-P

    In my case it would mean a few hours of work and it would be nice to know beforehand if I can expect an improvement.





    Problem solved since SFOS 16.05.2 :-)