Two SSIDs on two APs

Hi,

please show the DHCP server configuration.

Ian

Hi,

please show the DHCP server configuration.

Ian

Hi Ian,

This is my DHCP config:

Hi stn 

Is DHCP server configured on the Sophos XG firewall

If the broadcast domain for DHCP is same for both SSIDs they will receive DHCP IP.

Make sure that both networks are separated through a different switch and not connected in the same switch 

Regards,

Hi Keyur,

Yes, it is. Please sie picture above.

So you say it's not possible to have two APs running two SSIDs one in "Separate Zone" and the other bridged to LAN?

Can you confirm this require following configuration:

Thanks,

Andrzej

I am not seeing any issue right now? 

You have two different wireless networks. Both with clients? 

You do you mean, you cannot roam with a client?

Then maybe: https://community.sophos.com/kb/en-us/123952

The issue is:

Client connects to Staff-Wifi (Bridge to AP LAN - 192.168.3.0/24)and can't access the internet.

I checked his IP and he got IP from DHCP server assigned on GuestAP interface (Separate Zone - 10.255.0.0/24)

Same the other way. Client connects his mobile to a Guest network and gets IP from Windows DHCP server on Domain Controller.

There's one DHCP configured on the XG (on GuestAP) interface. The other DHCP is DomainController.

Thanks,

Andrzej

Its https://community.sophos.com/kb/en-us/123952 

Use this command, issue resolved. 

Is there anything else i have to do after i change the scope to global?

Done it 30 minutes ago but the issue is not gone.

Thanks

I think you are confusing the issue. Are you trying to run two APs with a seperate SSID in each AP.

You also appear to have only one DHCP server so all devices will pick it-an address from it. If you have two DHCP servers the faster device will provide the IP address because you have no isolation between networks.

Ian

I think you are confusing the issue. Are you trying to run two APs with a seperate SSID in each AP.

You also appear to have only one DHCP server so all devices will pick it-an address from it. If you have two DHCP servers the faster device will provide the IP address because you have no isolation between networks.

Ian

Hi rfcat_vk,

As i mentioned before i wasn't sure what is causing the issue. I might be wrong but from what i remember when i was going through SG UTM Engineer course Sophos creates a tunnell when the Wifi is in Separate Zone. I thought it would do the same in XG.

I understood it after Keyur's reply suggesting i would have to separate the networks hence my diagram and question is this configuration required in my scenario?

I ran the command because Lucar Toni was pretty sure this will resolve the issue.

What would be the best solution in this case?

Thanks

This article explains how to create mutiple SSIDs on different VLANs on one AP

How do i do this with two APs? Bridge two interfaces where APs are connected to and set up VLANs on the bridged interface?

Lets wrap this up quickly.

In case of Wireless, XG and SG act the same.

Bridge to AP LAN: The AP basically bridges the Client connecting to the SSID on the RJ45 Connection of the AP. For the Switch, the Client looks like a wired Client.

Same for Bridge to AP VLAN: The AP bridges the Client into the RJ45 but with a certain VLAN Tag. 

Separate Zone will build up a tunnel to the XG and the Client connection to the AP will be routed to the new Interface on XG. 

For Separate zone, you will need a Zone, DNS, DHCP and firewall rule.

For Bridge to AP LAN, it depend on the configuration. If XG is not the gateway, you do not need to do anything. If yes, you need the same configuration like separate zone but XG does not know, there is a wired or wireless client coming. 

Hi Toni,

Thanks for the detailed response.

I have the following scenario:

Staff Wifi is for laptops to connect to corporate network

Guest Wifi is for staff phones, guests etc.

From what you guys said in this ticket https://community.sophos.com/products/xg-firewall/f/network-and-routing/108602/ap55-bridge-to-vlan-and-bridge-to-lan-on-same-ap i cant put one SSID as "Bridged to AP LAN" and the second one "Bridged to VLAN".

What other options do i have here?

1. Putting additional access points in each room and setting them up as Guest Wifi where the old two would be set up as Staff Wifi

2. Use VLANs?

- create 2 trunk ports(on the switch) with 2 VLANS (VLAN for each access point)

- set up another trunk on the switch and connect it to the XG

- configure 2 VLANs on the XG

- bridge one VLAN to "LAN Interface"?

3. Any other option?

Thanks

The essential part about Sophos Wireless with VLANs is: Its a one way ticket: If you start with VLAN, everything have to be VLAN.

There are 2 key parts: The AP RJ45 interface and the SSID. 

So basically you have to give the AP a own VLAN (lets call it Management VLAN). 

For example all your APs are in VLAN 10. 

Then your AP will send his management traffic to VLAN10 (to reach the XG for example). 

If you have a SSID with bridge to AP VLAN, it can be VLAN 20. 

Then the AP will bridge all traffic, coming from this SSID to VLAN 20. 

The challenge is the initial setup:

Note – To introduce the usage of VLAN for your access points in your network, take the following steps: Connect the AP to Sophos UTM using standard LAN for at least a minute. This is necessary for the AP to get its configuration. Connecting it via VLAN from the beginning, the AP would not know of being in a VLAN and therefore would not be able to connect to Sophos UTM to get its configuration. When the AP is displayed, enable VLAN tagging and enter the VLAN ID. Then connect the AP to its intended VLAN, e.g., a switch.

(Basically UTM / SG has the same limitation). 

Another point would be: Central Wireless. 

In Central wireless, this setup is possible, you can actually have bridge AP LAN and Bridge ap VLAN on one AP. 

Hi Lucar Toni,

Thanks for your help. I've created VLAN for APs and everything works as expected.