UTM as WAP Controller with Guest Network

I have Sophos UTM along with a few APs at home and want to try out some other firewalls (looking for better tracking and reporting to understand what my kids are doing on the internet). But, Id like to keep the APs and use the UTM as a controller. I see a posting on how to do this (Set UTM 9 to be ONLY wireless AP controller):

Configure UTM with only one interface (LAN) and point default gateway parameter to your new router. Enable DHCP service on UTM and configure it with AP Magic (DHCP 234) option 

But, have a couple of questions:

  • Assuming the wifi is bridged to LAN (APs on the same LAN), does the client traffic from the AP go to the UTM and then back to the LAN, or does the AP bridge it?
  • I also want to do a guest wifi. How would that traffic flow? I imagine it has to flow through the UTM to keep separate from the LAN, and then I should send to the router via a separate VLAN or interface

Asking because I am going to upgrade to 10gbe on the router and switches, but not the UTM, and wondering how much of a bottleneck that would be for wifi. 


  • It looks like bridge to LAN traffic is bridged at the AP, since I can see a client's MAC on the same switch port as the AP. And, Im guessing the guest zone passes through the UTM to separate from the LAN. 

    If I establish a VLAN on my switch for the guest network, could I bridge the guest wifi to that VLAN and have the ongoing traffic avoid passing thru the UTM? Goal would be to have the UTM not in the path of traffic after DHCP

  • I got the normal wifi traffic working, using that DHCP option above. Now trying to figure out how to do the guest access. I can use a spare interface to send the guest wifi traffic from the UTM to the new router, but not sure how to configure that. I dont want the UTM to NAT it (the new router will do that). I tried a few things using static routes, but cant seem to get it working. 

  • Ended up making and bridging the wireless network to VLANs. Couldn't have just the guest net bridge to VLAN while the main wifi bridged to AP LAN (config wouldnt accept having both tagged and untagged in a single group). So, I created a guest VLAN and had the ports for APs, UTM and new firewall tag both the guest VLAN and VLAN 1 (the default on my switch) and then bridged guest wifi to the guest vlan and main wifi to VLAN 1. Also had the APs tag to VLAN 1. Then, in the new firewall (Untangle), I had it NAT the guest VLAN separately from the main internal network. Also, set the new firewall do DHCP on the guest VLAN, in addition to the main. Also, remember the above point about DHCP option. 

    Seems to work.

    Still, not sure I like Untangle over UTM. Has more reporting/tracking, but doing simple things is more cumbersome. And, cannot navigate well using a phone browser. So, might switch back to UTM.