Hello, I would like to make various subnets accessible via Wifi. Sophos XGS 21.5 + APX120.
Sophos:
IP address: 192.168.100.252
LAN subnet: 192.168.100.0/24
Port1
Zone LAN
APX120: (own subnet)
IP address: 172.18.25.12
Gateway: 172.18.25.1
VLAN ID 25
Port1.25
Zone LAN
win10x64 client in the LAN (Windows Firewall is deactivated)
IP address: 192.168.100.47
Gateway: 192.168.100.252
There is a default WIFI -> GuestAP which was created by Sophos.
WIFI1 Zone Wifi GuestAP Subnet with DHCP: 10.255.0.0
Gateway: 10.255.0.1
another one that I created manually:
WIFI2 Zone Wifi GuestAP2 Subnet with DHCP: 11.255.0.0
Gateway: 11.255.0.1
The communication between default GuestAP <-> LAN works bidirectionally without any special configuration from me. Everything works. Data traffic is logged with the original source IP (10.255.0.12)! 
BUT: The communication between GuestAP2 and LAN only works in one direction. LAN to GuestAP2
But not vice versa GuestAP2 11.255.0.10 to LAN 192.168.100.47 
Only GuestAP2 11.255.0.10 to Sophos 192.168.100.252 works.
Return route is correct because sophos is the default gateway.
I can create a MASQ rule. But then the traffic is not logged with the original source IP (11.255.0.10)!
I don't want that because it also works in the default GuestAP.
The Sophos firewall rule allows everything. Sophos seems to use hidden rules with the default GuestAP?!
Who can help?
How do I set up a WLAN correctly so that it can communicate with any subnet (e.g. LAN)?
Hello,
before you investigate further: while IP 10.255.0.x is a private reserved address range, the IP 11.255.0.x is not. This is a public address range which will be routed accordingly. Try 10.255.1.x. or 10.254.0.x instead.
BTW, you hit a special one:
Mit freundlichem Gruß, best regards from Germany,
Philipp Rusch
New Vision GmbH, Germany
Sophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Quote