Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Static Route zwischen WatchGuard und Sophos XG

Hallo zusammen,

ich habe vor kurzem eine WatchGuard Firewall installiert und die zuvor bestehende Sophos XG als Management Gerät für die AccessPoints an das alte Subnetz angeschlossen.

Zuvor war nur die Sophos als Hauptfirewall an dem Standort, nun ist die WatchGuard die Hauptfirewall und die Sophos dient nur für die Verbindung für die Sophos AccessPoints.

Aktuell ist es so, dass die WLAN Clients und die Sophos keine Internetverbindung über die WatchGuard aufbauen können. Daher möchte ich eine Route auf der WatchGuard und auf der Sophos erstellen, sodass die Sophos APs und die WLAN Clients über die WatchGuard auch eine Verbindung untereinander haben.

Wie muss ich den die Route auf der Sophos und der Watchguard konfigurieren, damit das 192.168.99.x Netz auch über den WAN Port der WatchGuard raus ins Internet könnnen?

Zudem möchte ich das bestehende Netz 192.168.99.x/24 für Gäste Wlan getrennt vom produktiven Netz 10.10.1.x/24 bestehend lassen und eine zweite SSID Verbindung für das produktive Netz 10.10.1.x erstellen.

Wie muss hier die Konfiguration auf beiden Firewalls eingerichtet werden damit dies funktioniert?

Muss ich eine standard Route auf beiden Firewalls erstellen und dann noch eine Firewall Regel auf beiden Seiten. Wie genau sieht hier die Konfiguration aus?

Besten Dank vorab für die Unterstützung.


Added TAGs
[edited by: Raphael Alganes at 9:33 AM (GMT -7) on 11 Jun 2024]
Parents Reply Children
  • Hello Florian, 

    Thanks for your response.

    Way I'm seeing it is your Sophos Firewall interface/Port2 LAN with IP network and the one connected directly to the Cisco switch is on bridge mode and the Cisco Switch is directly connected to Watchguard Port3LAN with IP

    So, if you want the AP network to have internet access, the Default Gateway of clients should be (WG Port3 LAN), with DNS that can resolve and with FW policy on WG that allows outbound traffic.

    a bridge interface on SF that are on both LAN zone should be unable to have a Default Gateway (Kindly see the gateway field that is grayed out when creating a bridge interface) so that being, the WG should be the DG of the clients on the network

    With regards to reaching the network , A static route is likely unnecessary since they are directly connected networks on WatchGuard. What you need is to configure a Firewall policy in WatchGuard that allows access to -> and also ->


    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks Raphael, I got it work that now the Wireless clients have a internet connection. I changed the gateway for the Wireless DHCP from to and now the clients cant reach the wan.

    Unfortunately, I rebootet the AccessPoints and after the reboot they were not able to connect to the sophos fw again and showing as inactive in the wireless ap configuration on the fw.

    I was not able to get the two AccessPoints to run again and set it to active, also  the leds on the APs were blinking red.

    Then I changed the Gateway back to on the DHCP options and after that the APs were connected again and shown as active on the sophos fw.

    How can I solve this problem now, when the APs are rebooting they arent able to connect to the sophos mangement fw as the GW is for the AP the same as for the Clients?

    I wasnt able to find a solution to set a static IP and GW for the APs only. Is there a configuration I can change to make them running again with the new gateway adress?

    thanks a lot!

  • Hello Florian,

    Thanks for your response.

    Seems the Sophos Firewall is the AP controller for your Sophos APs, and the DHCP for the clients and APs.Then by changing the DG to this likely caused the error

    By default, access points send the registration request to their default gateway using the magic IP address on port 2712. The gateway must route traffic from the access point sent to to Sophos Firewall, or the DHCP server must use option 234 to change the magic IP address to the address of the Sophos Firewall.

    That being said, we should configure DHCP option 234 on Sophos Firewall (Assuming SF is your DHCP for AP network and clients)

    Kindly follow the Steps:

    1. Go to Configure (Network) > DHCP and then add a DHCP server so that it can lease IP to access points and clients. 

    2. Create the DHCP option and bind it.
    - Sophos AP works on magic IP address ( therefore configure the DHCP server to forward all AP registration requests to the IP address of Port2LAN interface on the appliance instead of the magic IP address

    -This is done by configuring DHCP server option code 234[magic IP] for the interface (Port2) where the AP is connected to.

    -Connect through SSH and select option 4. To enter Device Console.
    Once you are in the console, run the following command:

    system dhcp dhcp-options add optioncode 234 optionname dhcp_magic_ip optiontype ipaddress


    3. Apply the created DHCP option on the DHCP server (created in step#2). 

    Run the following command: system dhcp dhcp-options binding add dhcpname *ENTER THE DHCP NAME* optionname dhcp_magic_ip(234) value

    Then - Connect the access point to Sophos Firewall to get the IP address leased by the DHCP server

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.