Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 7401 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two SSIDs on two APs

stn

Hi,

 

After configuring Wifi with Guesst SSID in separate zone and Staff-Wifi bridged to LAN client gets asigned IP from both networks no matter which SSID he's connected to.

Then the SSID configuration:

and finally connected client to guest Wifi (same happens on the staff-wifi)

I'm not sure where the configuration is wrong.

 

Kind regards,

Andrzej



This thread was automatically locked due to age.
  • 0 in reply to stn

    Lets wrap this up quickly.

    In case of Wireless, XG and SG act the same.

     

    Bridge to AP LAN: The AP basically bridges the Client connecting to the SSID on the RJ45 Connection of the AP. For the Switch, the Client looks like a wired Client.

    Same for Bridge to AP VLAN: The AP bridges the Client into the RJ45 but with a certain VLAN Tag. 

    Separate Zone will build up a tunnel to the XG and the Client connection to the AP will be routed to the new Interface on XG. 

     

    For Separate zone, you will need a Zone, DNS, DHCP and firewall rule.

    For Bridge to AP LAN, it depend on the configuration. If XG is not the gateway, you do not need to do anything. If yes, you need the same configuration like separate zone but XG does not know, there is a wired or wireless client coming. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Toni,

     

    Thanks for the detailed response.

     

    I have the following scenario:

     

    Staff Wifi is for laptops to connect to corporate network

    Guest Wifi is for staff phones, guests etc.

     

    From what you guys said in this ticket https://community.sophos.com/products/xg-firewall/f/network-and-routing/108602/ap55-bridge-to-vlan-and-bridge-to-lan-on-same-ap i cant put one SSID as "Bridged to AP LAN" and the second one "Bridged to VLAN".

     

    What other options do i have here?

    1. Putting additional access points in each room and setting them up as Guest Wifi where the old two would be set up as Staff Wifi

    2. Use VLANs?

    - create 2 trunk ports(on the switch) with 2 VLANS (VLAN for each access point)

    - set up another trunk on the switch and connect it to the XG

    - configure 2 VLANs on the XG

    - bridge one VLAN to "LAN Interface"?

    3. Any other option?

     

    Thanks

  • +1 in reply to stn

    The essential part about Sophos Wireless with VLANs is: Its a one way ticket: If you start with VLAN, everything have to be VLAN.

    There are 2 key parts: The AP RJ45 interface and the SSID. 

    So basically you have to give the AP a own VLAN (lets call it Management VLAN). 

    For example all your APs are in VLAN 10. 

    Then your AP will send his management traffic to VLAN10 (to reach the XG for example). 

    If you have a SSID with bridge to AP VLAN, it can be VLAN 20. 

    Then the AP will bridge all traffic, coming from this SSID to VLAN 20. 

     

    The challenge is the initial setup:

    Note – To introduce the usage of VLAN for your access points in your network, take the following steps: Connect the AP to Sophos UTM using standard LAN for at least a minute. This is necessary for the AP to get its configuration. Connecting it via VLAN from the beginning, the AP would not know of being in a VLAN and therefore would not be able to connect to Sophos UTM to get its configuration. When the AP is displayed, enable VLAN tagging and enter the VLAN ID. Then connect the AP to its intended VLAN, e.g., a switch.

     

     

    (Basically UTM / SG has the same limitation). 

     

     

    Another point would be: Central Wireless. 

    In Central wireless, this setup is possible, you can actually have bridge AP LAN and Bridge ap VLAN on one AP. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Lucar Toni,

     

    Thanks for your help. I've created VLAN for APs and everything works as expected.

     

Unfiltered HTML