If you are reading this thread, probably because you are having the same issue/limitation I have. The goal is to find a way to separare Wi-Fi users on different SSID when Sophos APx are connected through a mesh network on XG. Option 1: Separate zone: while everything works from the AP side, wi-fi users will find surfing very slow or not surfing at all. Indeed the Sophos KB: https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Wireless/WirelessNetworks/index.html requests you to lower MTU settngs on end point devices. Well, how can you do this when the guest network is used by mobile devices? No chance. Option 2: Bridge to VLAN: this does not work either. Based on this article: https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Wireless/MeshNetworks/index.html#things-to-know-about-mesh-networks you cannot use mesh and Bridge to VLAN settings. Indeed, I tested and only the cable connected AP gets the correct IP address in the correct VLAN, while the other 2 AP (I tried with APX 320), will lose the correct IP, once you move them from the cable to mesh. I created all the settings and at the end the mesh networks. By connecting each APX to get the configuration, all of them received the correct IP address, but once I moved them to not cable connection, APX get the ip of the physical port where the VLAN are created. I also tried to disable the DHCP on the physical port. Well, the APX won't get the IP at all. Option 3: Bridge to LAN: this is the only settings that works with mesh network. The limitation here are 2: firewall rules: the only way to filter guests devices to internal wi-fi devices is to use DHCP reservation and firewall rules attached to mac-addresses or to an IP range. So, here you need to inventory all devices and create a dhcp reservation. There are no ways to allow devices that connects to one SSID to have different rules and settings than other SSID. The main problem of this (in addition to manual creating dhcp reservation) is, i.e example, if an internal user needs less restricted internet surfing (because the internal SSID is more restrictive), the user can connect on the Guest SSID (which is not restrictive at all), but because the DHCP reservation comes in, the user will always match the more restrictive fw rule. The other main problem is reporting: image you need to investigate who did the bad things using the same IP addresses for both guest and internal users. There are no other options or workaround at the moment. Please Sophos make sure you can fix option 1 (MTU settings) and option 2 (by allowing mesh APX to get the right IP address). Regards

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to separate wifi users with Sophos APs connected in a mesh network without manual intervention

If you are reading this thread, probably because you are having the same issue/limitation I have. The goal is to find a way to separare Wi-Fi users on different SSID when Sophos APx are connected through a mesh network on XG.

Option 1: Separate zone: while everything works from the AP side, wi-fi users will find surfing very slow or not surfing at all. Indeed the Sophos KB: https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Wireless/WirelessNetworks/index.html requests you to lower MTU settngs on end point devices. Well, how can you do this when the guest network is used by mobile devices? No chance.
Option 2: Bridge to VLAN: this does not work either. Based on this article: https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Wireless/MeshNetworks/index.html#things-to-know-about-mesh-networks you cannot use mesh and Bridge to VLAN settings. Indeed, I tested and only the cable connected AP gets the correct IP address in the correct VLAN, while the other 2 AP (I tried with APX 320), will lose the correct IP, once you move them from the cable to mesh. I created all the settings and at the end the mesh networks. By connecting each APX to get the configuration, all of them received the correct IP address, but once I moved them to not cable connection, APX get the ip of the physical port where the VLAN are created. I also tried to disable the DHCP on the physical port. Well, the APX won't get the IP at all.
Option 3: Bridge to LAN: this is the only settings that works with mesh network. The limitation here are 2: firewall rules: the only way to filter guests devices to internal wi-fi devices is to use DHCP reservation and firewall rules attached to mac-addresses or to an IP range. So, here you need to inventory all devices and create a dhcp reservation. There are no ways to allow devices that connects to one SSID to have different rules and settings than other SSID. The main problem of this (in addition to manual creating dhcp reservation) is, i.e example, if an internal user needs less restricted internet surfing (because the internal SSID is more restrictive), the user can connect on the Guest SSID (which is not restrictive at all), but because the DHCP reservation comes in, the user will always match the more restrictive fw rule. The other main problem is reporting: image you need to investigate who did the bad things using the same IP addresses for both guest and internal users.

There are no other options or workaround at the moment. Please Sophos make sure you can fix option 1 (MTU settings) and option 2 (by allowing mesh APX to get the right IP address).

Regards

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago +2

Option 4: Use Central Wireless.

0 LuCar Toni over 1 year ago

Option 4: Use Central Wireless.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel
0 lferrara over 1 year ago in reply to LuCar Toni

I will try too, but here I am referring to XG only. Read them carefully, LuCar Toni
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to lferrara

I did and i see an option with Central Wireless - Why would you use SFOS Wireless in that scenario? Any particular reason?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 1 year ago in reply to LuCar Toni

I am reporting the actual limitation on XG, that "should be fixed". These are big limitation.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to lferrara

But you are stating "

There are no other options or workaround at the moment. Please Sophos make sure you can fix option 1 (MTU settings) and option 2 (by allowing mesh APX to get the right IP address). "

That is not true as you could use Central Wireless and there the Guest Network feature. This does not have such limitations.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 1 year ago in reply to LuCar Toni

What is wrong all the time with you, Lucar? Are you reading and understanding what I am writing and asking here? There are no other options on XG. Maybe it is better to remove Wireless feature on XG at all and "force" people to move to another product or to Central.
Cancel
Vote Up 0 Vote Down

Cancel
+1 lferrara over 1 year ago

Do not suggest "recommended answer" for a topic where no solutions exist. CENTRAL is NOT AN OPTION. Here we are talking about limitation on XG
Cancel
Vote Up +2 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to lferrara

I am talking about an outcome scenario: I am addressing your subject line: How to separate wifi users with Sophos APs connected in a mesh network without manual intervention

The approach to do Central Wireless would come at no cost.

You are currently asking for an option, and i am giving you one.

Now lets tackle your points:

The first point about MTU Size is an old limitation from the design back in UTM. See UTM Online help:

VLAN and Mesh cannot be mixed. That was also an old limitation from the awed (astaro wireless).

To address those concerns, you can take a look at Central wireless as an alternative solution: Central wireless offers Guest networks, which uses a Firewall on the Access point itself. Therefore you can control the access of a guest uses.

To get back to the point: This is in the product for now 10-15 years. It was never addressed and is basically resolved in Central wireless, which can be used at no cost.

Looking at the costs of solving an issue, which is already addressed with another approach (Central wireless), i would rather spend the resources on other features within the SFOS platform. But that is something PM has to decide.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 1 year ago in reply to lferrara

Tested all the APX on Central and bridge to VLAN works. I highly recommend Sophos to create a proper KB about limitation on Sophos AP and Mesh networks on XG. Also, please create a proper KB on how to create a Sophos Mesh and Bridge to VLAN using Central. There are no articles on them. Again, this thread does not have solution. The goal is to keep other people informed in case they incur in the same scenario I had. Regards
Cancel
Vote Up +1 Vote Down

Cancel