I had our Sophos XG87 configured by our reseller when we bought it, since I knew nothing about how to do it properly. I've learned a lot and have changed quite a few things, but want to make a foundational change that will require destroying several things and rebuilding differently, and I want to make sure I'm not crazy before I start. (I'll, of course, backup my configuration and fall back to it if necessary, but unfortunately I'll have a small daytime window to make the change and so I just want to sanity-check my approach first.
Currently, Port1 and Port4 are bridged, know as LAN_Bridge. Port1 and Port4 are also in the LAN Zone. Port1 has a Sophos AP with four SSIDs: three of them go into their own VLANS (LAN_Bridge.10, etc), and the fourth is bridged into the AP's LAN, which is of course the LAN_Bridge bridge. This works out well because on Port4 is a print/backup server that uses Bonjour (mDNS) to advertise its services, and since it's on LAN_Bridge, all of the wireless devices bridged to the LAN_Bridge bridge, communicate perfectly. I don't have or need the "Enable routing on this bridged pair" checked for LAN_Bridge. I do have a LAN Zone - LAN Zone firewall rule, which I think is necessary overall, but broadcasts aren't routed -- is that correct?
So, the important factor of the current setup is that mDNS broadcasts from Port4 are seen on Port1's fourth, bridged-in SSID and everything works like one happy subnet.
But I'm thinking that maybe I should have the AP itself segregated from all of the traffic it carries, so maybe the fourth SSID should also go into a VLAN as well.
I'm thinking this will require destroying the current LAN_Bridge the current VLANs and doing them over. After destroying them, I'd set up the VLANs directly on Port1 (Port1.10, Port1.20, Port1.30, etc, and the new Port1.100). Then I'd bridge Port4 and Port1.100 into the NEW LAN_Bridge, with both of those ports being in the LAN Zone, meaning no firewall changes. I would also be able to leave the existing DHCP server for LAN_Bridge untouched and it would serve the NEW LAN_Bridge -- meaning the fourth SSID on Port1 and also Port4.
And everything would work perfectly, right? Broadcasts on Port4 would be seen on Port1.100 and all the wireless folks would still have a printer via mDNS. Right?
Or does a bridge with a Port and a VLAN in it not quite work the same way as a bridge with two Ports in it? (But still be called a "bridge", and maybe require "Enable routing on this bridge pair" or something else tricky?) I could try a diagram if the wording is too dense.
Edited TAGs
[edited by: Erick Jan at 4:55 AM (GMT -7) on 4 Jun 2024]
