Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Wireless Controller



Can the Sophos XG Firewall (XG 135v3) be used as a wireless controller only?

If yes, how should the configuration be?


Previous situation: XG 135 as Gateway to the internet with 2 AP100c bridged to LAN. (1 Guest and 1 User LAN)

Now: Other Router/Firewall as Gateway to the internet. Uplink to Coreswitch with multiple VLAN's. The XG 135 is now connected on the MGMT VLAN.


Let's say I have 3 vlans on the new gateway to the core switches.

Vlan 10 = MGMT

Vlan 20 = Users

Vlan 30 = Guests


How should the trunk towards the AP's be configured like? If I choose to bridge to VLAN it says I have to configure an AP MGMT VLAN. (so no untagged vlan supported when using "bridge to vlan" for management?)

How should the connection to the XG be configured like? Does all traffic going over the AP's need to pass over the XG or can I use the XG for controlling the AP's only (which would be great)?


Thanks for your reply


Best regards,,


This thread was automatically locked due to age.
  • It was working as follows:


    Configuration on the XG:

    1 interface with a dummy IP address for untagged traffic.

    1 subinterface on the above with an IP address configured in the MGMT Vlan.

    1 static route because no default gateway can be configured on the subinterface.

    1 rule: any to any for any

    2 wlan networks: 1 for guest (bridge to vlan) and 1 for users (bridge to vlan)


    Configuration on the interfaces to the AP:

    Trunk with No untagged vlan and 3 VLAN's tagged.


    It works but it's oh so slow and I don't think it's the way to go..

  • I got it working on reasonable speed.


    1 Interface on the XG firewall configured VLAN 10 (MGMT)

    AP's configured on trunk link with untagged VLAN 10 and tagged VLAN 20 and 30

    2 Wireless networks (SSID's), 1 for VLAN 20 and 1 for VLAN 30

    Configured magic IP static route and dhcp option to the XG firewall on my DHCP server


    What I don't understand is the option to tag VLAN ID for the access points or access point groups. I've tagged them with another VLAN (40) but the are still communicating with the XG on VLAN 10 MGMT. My confusion was with the obligated configuration of this option when using 'bridge vlan to wlan'

    It looks like the option doesn't do anything. Can anyone confirm?


    So the traffic doesn't pass the XG. Only mgmt traffic between the AP and the XG is happening. VLAN 20 and 30 are not configured on the XG.

    To reply: yes, you can use the XG as a wireless controller only. Perfect.


  • VLAN Tagging in Sophos Wireless is used for everything, after enabling.

    There is the Management VLAN (in your case 10). And you could use per SSID one VLAN, after switching to Bridge to AP VLAN. 

    If you use Bridge to LAN or Separate Zone, both mode will tag the traffic on the management VLAN. 


  • Hi LuCar Toni,

    I understand. But can you force the AP to communicatie to the XG (for provisioning etc) over a tagged VLAN?

    What is the use of the AP VLAN ID?

    I saw you already answered this:

    But this does not work. If I enter AP VLAN ID 10, it will still communicate over the untagged VLAN on the trunk to the AP.

  • It should use the Management Port of the Group for everything? 

    Are you 100% sure, it does not use VLAN ID 10? 


    A Group with VLAN10 will let the APX communicate with VLAN10 as management. 

    Use this tool to login into the APX to check.


  • Hi LuCar Toni,


    Yes, I'm 100% sure it doesn't use the right vlan for communication. No matter what I configure as AP VLAN ID, it always uses the untagged vlan on the trunk.


    Best regards,,