Two SSIDs on two APs

Question

Hi, 
 
 After configuring Wifi with Guesst SSID in separate zone and Staff-Wifi bridged to LAN client gets asigned IP from both networks no matter which SSID he's connected to. 
 
 Then the SSID configuration: 
 
 and finally connected client to guest Wifi (same happens on the staff-wifi) 
 
 I'm not sure where the configuration is wrong. 
 
 Kind regards, 
 Andrzej

LuCar Toni · Accepted Answer

The essential part about Sophos Wireless with VLANs is: Its a one way ticket: If you start with VLAN, everything have to be VLAN. 
 There are 2 key parts: The AP RJ45 interface and the SSID. 
 So basically you have to give the AP a own VLAN (lets call it Management VLAN). 
 For example all your APs are in VLAN 10. 
 Then your AP will send his management traffic to VLAN10 (to reach the XG for example). 
 If you have a SSID with bridge to AP VLAN, it can be VLAN 20. 
 Then the AP will bridge all traffic, coming from this SSID to VLAN 20. 
 
 The challenge is the initial setup: 
 Note &ndash; To introduce the usage of VLAN for your access points in your network, take the following steps: Connect the AP to Sophos UTM using standard LAN for at least a minute. This is necessary for the AP to get its configuration. Connecting it via VLAN from the beginning, the AP would not know of being in a VLAN and therefore would not be able to connect to Sophos UTM to get its configuration. When the AP is displayed, enable VLAN tagging and enter the VLAN ID. Then connect the AP to its intended VLAN, e.g., a switch.

(Basically UTM / SG has the same limitation).

Another point would be: Central Wireless. 
 In Central wireless, this setup is possible, you can actually have bridge AP LAN and Bridge ap VLAN on one AP.

LuCar Toni · Answer

I am not seeing any issue right now? 
 You have two different wireless networks. Both with clients? 
 You do you mean, you cannot roam with a client? 
 Then maybe: https://community.sophos.com/kb/en-us/123952

LuCar Toni · Answer

Lets wrap this up quickly. 
 In case of Wireless, XG and SG act the same. 
 
 Bridge to AP LAN: The AP basically bridges the Client connecting to the SSID on the RJ45 Connection of the AP. For the Switch, the Client looks like a wired Client. 
 Same for Bridge to AP VLAN: The AP bridges the Client into the RJ45 but with a certain VLAN Tag. 
 Separate Zone will build up a tunnel to the XG and the Client connection to the AP will be routed to the new Interface on XG. 
 
 For Separate zone, you will need a Zone, DNS, DHCP and firewall rule. 
 For Bridge to AP LAN, it depend on the configuration. If XG is not the gateway, you do not need to do anything. If yes, you need the same configuration like separate zone but XG does not know, there is a wired or wireless client coming.