how to create a WIFI mesh network with all APs connected to ethernet?


I have a Sophos XG acting as my firewall.

I have three floors where I´d like to install one WIFI access point per floor. Each of these APs is connected to an ethernet port of a L2 switch where also the firewall is connected to. No vlans.

So the idea is to transport the traffic via ethernet cable to each AP in order to not use radio channels unnecessarily and ensure full bandwidth. The cabling is there.

I understand that I need to use Sophos APs to have my XG do the management.

All APs should use the same SSID and password so when I move within the building and the floors, I will always be handed over to the strongest wifi AP, ideally without any noticeable interruption of wifi traffic.

But I cannot figure out how to configure that kind of setup:

From my understanding, only one AP will act as root and use the ethernet connection. All the others won´t. The slave APs will just forward traffic from the root AP to the clients and back and not leverage the more powerful ethernet connections.

That would be less powerful than my current simple setup:

My current setup is with three Netgear APs, each with a manually selected rf channel to ensure minimum interference among them and with my neighbors. Works but as used Sophos APs are now cheap to get, I am considering to leverage the wifi controller features of my XG and have a more elegant, centrally managed solution.

Any help appreciated, many thanks!

Added TAGs
[edited by: Erick Jan at 5:53 AM (GMT -7) on 3 Jun 2024]
  • Hello Alexander,

    I don't understand your problem at all. This is exactly what a managed WiFi with a number of connected APs is used for. This simply works just "out of the box". The AP with the strongest signal gets the connection, the client traffic is passed to the gateway (=firewall). No magic.

    There is no "root AP" as you don't build a "WiFi mesh" when using several managed APs which are all connected to an ethernet LAN. There is some traffic used for the management of the APs, which consumes some bandwitdth of the "transport" ethernet, but this is neglectable. The setup of a managed WiFi is capable to handle "roaming clients", which means handing over the WiFi-client session from one AP to the other, if your are moving from one floor to the other. There is no guarantee, that this will go on unnoticed by the client or the application which is currently running on the client. This depends on many factors like signal strength, how many parallel sessions and the applications used in that session, and many others.

    Of course you can distribute the used channels manually with an XG(S) and Sophos APs to minimize interference.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.