Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 7397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two SSIDs on two APs

stn

Hi,

 

After configuring Wifi with Guesst SSID in separate zone and Staff-Wifi bridged to LAN client gets asigned IP from both networks no matter which SSID he's connected to.

Then the SSID configuration:

and finally connected client to guest Wifi (same happens on the staff-wifi)

I'm not sure where the configuration is wrong.

 

Kind regards,

Andrzej



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Hi,

    please show the DHCP server configuration.

    Ian

    Hi Ian,

     

    This is my DHCP config:

     

    Hi  

    Is DHCP server configured on the Sophos XG firewall

    If the broadcast domain for DHCP is same for both SSIDs they will receive DHCP IP.

    Make sure that both networks are separated through a different switch and not connected in the same switch 

     

    Regards,

    Hi Keyur,

     

    Yes, it is. Please sie picture above.

    So you say it's not possible to have two APs running two SSIDs one in "Separate Zone" and the other bridged to LAN?

     

    Can you confirm this require following configuration:

     

    Thanks,

    Andrzej

  • 0 in reply to stn

    I am not seeing any issue right now? 

    You have two different wireless networks. Both with clients? 

    You do you mean, you cannot roam with a client?

    Then maybe: https://community.sophos.com/kb/en-us/123952

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The issue is:

     

    Client connects to Staff-Wifi (Bridge to AP LAN - 192.168.3.0/24)and can't access the internet.

    I checked his IP and he got IP from DHCP server assigned on GuestAP interface (Separate Zone - 10.255.0.0/24)

    Same the other way. Client connects his mobile to a Guest network and gets IP from Windows DHCP server on Domain Controller.

     

    There's one DHCP configured on the XG (on GuestAP) interface. The other DHCP is DomainController.

     

    Thanks,

    Andrzej

  • 0 in reply to stn

    Its https://community.sophos.com/kb/en-us/123952 

    Use this command, issue resolved. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Is there anything else i have to do after i change the scope to global?

    Done it 30 minutes ago but the issue is not gone.

     

    Thanks

  • 0 in reply to stn

    I think you are confusing the issue. Are you trying to run two APs with a seperate SSID in each AP.

    You also appear to have only one DHCP server so all devices will pick it-an address from it. If you have two DHCP servers the faster device will provide the IP address because you have no isolation between networks.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

     

    As i mentioned before i wasn't sure what is causing the issue. I might be wrong but from what i remember when i was going through SG UTM Engineer course Sophos creates a tunnell when the Wifi is in Separate Zone. I thought it would do the same in XG.

     

    I understood it after Keyur's reply suggesting i would have to separate the networks hence my diagram and question is this configuration required in my scenario?

     

    I ran the command because Lucar Toni was pretty sure this will resolve the issue.

     

    What would be the best solution in this case?

     

    Thanks

  • 0 in reply to stn

    This article explains how to create mutiple SSIDs on different VLANs on one AP

    How do i do this with two APs? Bridge two interfaces where APs are connected to and set up VLANs on the bridged interface?

     

  • 0 in reply to stn

    Lets wrap this up quickly.

    In case of Wireless, XG and SG act the same.

     

    Bridge to AP LAN: The AP basically bridges the Client connecting to the SSID on the RJ45 Connection of the AP. For the Switch, the Client looks like a wired Client.

    Same for Bridge to AP VLAN: The AP bridges the Client into the RJ45 but with a certain VLAN Tag. 

    Separate Zone will build up a tunnel to the XG and the Client connection to the AP will be routed to the new Interface on XG. 

     

    For Separate zone, you will need a Zone, DNS, DHCP and firewall rule.

    For Bridge to AP LAN, it depend on the configuration. If XG is not the gateway, you do not need to do anything. If yes, you need the same configuration like separate zone but XG does not know, there is a wired or wireless client coming. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Toni,

     

    Thanks for the detailed response.

     

    I have the following scenario:

     

    Staff Wifi is for laptops to connect to corporate network

    Guest Wifi is for staff phones, guests etc.

     

    From what you guys said in this ticket https://community.sophos.com/products/xg-firewall/f/network-and-routing/108602/ap55-bridge-to-vlan-and-bridge-to-lan-on-same-ap i cant put one SSID as "Bridged to AP LAN" and the second one "Bridged to VLAN".

     

    What other options do i have here?

    1. Putting additional access points in each room and setting them up as Guest Wifi where the old two would be set up as Staff Wifi

    2. Use VLANs?

    - create 2 trunk ports(on the switch) with 2 VLANS (VLAN for each access point)

    - set up another trunk on the switch and connect it to the XG

    - configure 2 VLANs on the XG

    - bridge one VLAN to "LAN Interface"?

    3. Any other option?

     

    Thanks

Unfiltered HTML