Hi all,
Been fighting a problem with set up of a Unifi system in which we are using Sophos XG115 as our core router and firewall.
We are using Unifi Cloud Key and want a guest wireless network to exist in VLAN 20. We also want to use the guest portal feature on the Unifi Cloud Key Controller in order to authenticate our guests.
Before going through the details, I have this exact environment with the same network switch, Unifi gear, etc., working in another installation in which the only real difference is I'm using Ubiquity Edgerouter-X as the router/firewall. When Sophos is involved it does not seem to work and Ubiquity can't point me in the right direction or tell me why.
1. Sophos XG115.
2. HP Procurve 1820-48PoE switch.
3. Unifi Controller (Cloud Key)
4. Unifi APs.
In Sophos I have built a Guest Zone, created a network interface in VLAN 20, assigned a routing interface on the XG firewall and created a DHCP server for the clients. For testing purposes I have created a FW rule between my Guest and LAN zones in which all traffic is being allowed.
If I simply use a WPA password (or no password) the guests authenticate onto the network and everything is peachy. Similarly if I put the guests into the default LAN zone (not VLAN 20) and point them to the guest portal, the guest portal is displayed, the guests can authenticate and life is good.
As soon as guest network is in VLAN 20 and the guest portal is being used, the guests never get to the portal and life is not good. I can manually authenticate the guests and get them to work, additionally, all traffic between the VLANs/zones appears to be working as long as I manually authenticate the guests or disable the portal.
Ubiquity has not been able to direct me to the specific log entries in their equipment to diagnose this. A PCAP of the traffic out of the Cloud Key and the APs seems to show that there is never an offer made to the clients about where the guest portal is, the clients (Apple for example) end up going to an internet default location to look for the guest portal. This is where I become suspicious that maybe somehow Sophos is blocking the traffic since I have this working in another installation with the only difference being the router/firewall.
From the Sophos perspective how can I prove that Sophos is not causing this problem? Ubiquity indicated that they have no known working configurations with Sophos and can't comment on how the Sophos needs to be configured to work properly with their equipment. It's all rather frustrating. If I can definitely prove that the Sophos is not killing the traffic then maybe I can get Ubiquity to take the problem seriously and help me get it resolved.
I've included some screenshots of the LAN configuration and FW rules, I suppose it's possible due to my unfamiliarity with Sophos gear that I've missed something obvious that is causing the problem.
This thread was automatically locked due to age.
