Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Central managed AP on VLAN can't see internet when behind a switch

I'm trying to setup a Central managed AP to a VLAN connected SSID to my Firewall.

  • Pos A - If I'm connected directly to the Firewall with the AP, the AP can see and serve the internet to anyone connected to it.
  • Pos B - If I'm connected through a small 8 port unmanaged switch , the AP can see and serve the internet.
  • Pos C - If I'm connected behind a manged switch, set to allow everything through, no discrete settings. The AP shows up good on Central, my users can connect, but they don't get WIFI.

We're a school and desperately need to be able to separate the staff WIFI from the Students. Right now we have everyone going through LAN, as that's the only way we can get internet up and going.

I've been on support call on this, our partner has been on support call. So far we can't get this working.

What is going on that unplugging and moving an AP to the other side of the Cisco SRW2024 breaking our AP's ability to give connection to the internet?



Added TAGs
[edited by: Erick Jan at 7:47 AM (GMT -8) on 27 Nov 2024]
Parents Reply Children
  • I had a case open, but called it closed. The chap managed to get something 'technically' connected, but used an alias on the firewall side appeared to lump all the traffic into a single connector, defeating the point to separate VLANs.

    I've never used tcpdump before. I installed it on my windows laptop and couldn't get any traffic to show up. I'm sure it is just a lack of knowledge on my part. I tried listening to each of the listed ports but couldn't get it to show any traffic.

    I installed wireshark and tried to see what that would tell me.

    A ping from a laptop connected on the APX320X on pos3 give me: transmit failed. General Failure.
    The wireshark  showed some traffic on 169.254.8.8 to 224.0.0.251 and 255.255.255.255 and 255.255.255.250.  There were two lines highlighted in yellow to 224.0.0.22.

    Because the laptop can't see the firewall it is getting a 169.254... IP address, when it should be getting a 172.16.50.x address.

    I'm afraid I haven't provided much very helpful.

    Is there something else I should try or a specific command in tcpdump/Wireshark I should run?

  • Hello Marvin,
    Unfortunately, I cannot offer a simple solution or simple search for the cause.
    You need a deep knowledge about VLAN, VLAN-trunc, VLAN-tagging, Switch- & Port-Configuration to get an (Sophos)AP running with multiple (separated/isolated) SSIDs. You can't use an unmanaged Switch with different VLANs.
    You should consider consulting a network specialist to solve this task.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Marvin,

    Adding to what Dirk mentioned.

    I meant to run the tcpdump in the Sophos Firewall. However, since you already mentioned the device is not getting an IP from the DHCP, which is most likely the Sophos Firewall, I believe your issue might be in your Cisco switch.

    For a simple test, you can configure a Static IP in a computer that connects to the AP in Position C, and try some traceroute from the computer, see how far it gets.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.