Problems setting up wireless APs in Central - or local?


we're in the process of migrating from UTM to XGS, one of two clusters already exchanged. Currently I'm working on setting up wireless via Central. The majority of our APs is AP55 and older so we need to work with Central. We have bought some APX320 for expansion and testing already (if we have to exchange all our older APs with newer APX, then it's an option). We don't use VLANs (in this part of the network).

I'd like to setup at least 2 SSIDs, one for internal access (bridge to LAN), one for guest access (traffic to external/WAN only and with bandwidth limit/throttling),

My tests to far have concluded that bridge to internal LAN is not a problem. I can get access to LAN, receive a DHCP-address etc.. Eventually we'll need to authenticate to our RADIUS Server, but guest Wifi is higher priority right now. All APs register to central, are updated and accept the setting, not an issue here.

One site is already on XGS, the other is still on UTM for another two weeks. On XGS wireless is diabled, on the UTM wireless is still active, Wifi is working fine with the "old" setup here, there is one APX320 setup for testing in Central on the UTM site, some other APX on the XGS site in Central.

Maybe I'm thinking in the wrong direction or I'm not understanding correctly. I have setup one/some APX in Central with a guest SSID in NAT-Mode and can access internet. Traffic is not in Wifi-Zone in XGS, therefore I cannot traffic shape, limit or apply rules here and don't have any means of getting logfiles for diagnostics.

When I setup guest Wifi in bridge mode (currently only on site with the UTM), I still get DHCP-address an can access the internet, although the offering DHCP-Server is from our internal LAN. I'd prefer to use the UTM/XGS's DHCP-Server to have seperate IP-Ranges - how can I achieve this?

I guess when using the XGS wireless, SSIDs are managed in the appliance and hopefully are assigned to Wifi zone then and firewall rules apply, which makes managing easier for us, but then I cannot continue using our AP55s.

What would be the ideal way or solution?

Thank you for your help.

Besides; Where's the import button for custom XML expressions for SPX in SFOS 19.0.1?

Tags added
[edited by: SchroederX at 10:34 AM (GMT -8) on 22 Nov 2022]
Parents Reply Children
  • You'll have to remove the APX320 from XGS control and put it under Sophos Central control, which involves several steps that there are multiple threads on.

    Then you set up the SSID from Sophos Central and do not set it up so that the AP does DHCP. Then set up corresponding VLANs on the XGS and fire up DHCP servers on each VLAN (on the XGS). You can do anything on the XGS that you can with any other subnet/VLAN/port. Sophos Central should ONLY be used to maintain the AP itself: set up, enable SSIDs, disable SSIDs, look at stats, capture logs, update AP firmware, etc. (You can set Sophos Central to automatically update firmware on whatever weekday you want.)

    So do not enable "Wireless Security" (or whatever it's called) on the XGS, which will then capture your APs (if they're still supported by SFOS). Configure and run the AP from Sophos Central, set up and manage the VLANs associated with the SSIDs on the XGS.

    You can group your SSID VLANs (on the XGS) into whatever Zones you want. You can also bridge an SSID into the LAN on which the AP resides. (In my case, I have one SSID that is bridged into my LAN, and two SSIDs that are separate VLANs.)

    Is that what you were looking for?