AP6 no IP over DHCP / No Internet

Hello KarlVanSnail ,

Thanks for reaching out to Sophos Community. 

What happens when you put static IP settings on the clients instead? are they able to reach the:

-default gateway

-other clients on the network 

-and internet connectivity? 

Could you share your VLAN configuration on your Switch and AP? 

Thank you

Nothing i cant reach anything with static IP no gateway no Internet.

With networkcables we dont have any Problems.

Yes they are other clients too in the VLAN.

Thats our Switch in the Office. Behind the Switch we have 3x 2930M Stack. Its all HP.

The AP is on Port 5.

trunk 23-24 trk1 lacp

ip route 0.0.0.0 0.0.0.0 192.168.11.254

interface 23
name "UplinkConfig"
exit

interface 24
name "Uplink HPV"
exit

vlan 1
name "DEFAULT_VLAN"
no untagged 1-22,25-28,Trk1
ip address dhcp-bootp
exit

vlan 210
name "SERVER"
untagged 13-18,20
tagged 11,25-28,Trk1
no ip address
exit

vlan 211
name "INFRA"
untagged 5,21-22,Trk1
ip address 192.168.11.50 255.255.255.0
exit

vlan 212
name "CLIENT"
untagged 1-4,6-10,12
tagged 5,11,25-28,Trk1
no ip address
ip helper-address 192.168.10.210
ip helper-address 192.168.10.211
exit

vlan 215
name "VoIP"
untagged 19
tagged 25-28,Trk1
no ip address
exit

We have a Request number too at the Support and he said other companies have this problem too, but the investigation take meanwhile over 1 week.

LAN Bridge works on the AP fine, but we want to have a separated VLAN for the Guest Access.

Hello KarlVanSnail ,

Thank you for taking the time to update with details. Regret to hear about the issue you're currently encountering.

Could you share with us the caseID you currently have with Support? 

Many thanks for your time and patience, and thank you for choosing Sophos.

Request Number 07428708

Maybe I'm missing something but as I said, if we use cables we don't have any problems

Request Number 07428708

Maybe I'm missing something but as I said, if we use cables we don't have any problems

Hello KarlVanSnail ,

I have left a note on your case with support. 

On the other hand, If my assumption is correct, AP is connected to an edge switch > which is connected to a L3 switch which is (3x 2930M Stack) 

How does VLAN 212 reach the DHCP server on the network? is it via VLAN routing on the L3 switch or through the Sophos Firewall? 

Also, how is the L3 switch routing traffic to the Firewall? Is it through a Trunk port or a Routed port (using the Default Route to Sophos Firewall interface)? 

What I can initially left for you to check is:

- Make sure the switch interface connected to the AP6 is on a Tagged port for 212 (Client Vlan)

- all uplinks (if you're connecting via trunk ports) must have VLAN 212 tagged

- If connected through a routed port - kindly make sure there is an entry of Static route on Sophos Firewall, introducing the VLAN 212 network, so FW would know how to route traffic to and from the L3 switch which has the VLAN 212 information, so in this case make sure there's a defined network address on your L3 switch for vlan 212 e.g. 172.16.212.0 /24 and a static route on Sophos Firewall.

-If through a trunk port - configure a VLAN subinterface with VLAN ID 212 on Sophos Firewall e.g. Port8.212 and have a FW policy configured for VLAN 212 to reach internet and other VLAN networks

-in AP, I may recommend you to check/enable "Client isolation" under SSID > Security. 

Otherwise, further checking on this case would be needed. 

I hope this information helped your concern. We shall be continuing to track progress of your case with us.

Again, many thanks for your time and patience and thank you for choosing Sophos. 

No we dont have a L3 Switch its all on XGS 2100 Firewall.

We create a LAG with 2 Physical ports and on them the VLANs are binded.

VLAN 212 is tagged through the LACP Trunk Ports for the whole company and to the Virtualization.

FW Rules are set Subnet VLAN 212 to subnet VLAN 210 (Windows DHCP) and subnet VLAN 212 to Internet Breakout.

DHCP Relay is defined too on the XGS.

Client Isolation is off i checked it now again.

It irritates me because it works normally with a cable. With a cable we immediately get an IP Lease and the network/internet works without any problems. All internal services like Windows AD/DNS/DHCP and so on works well too. 

Only on the AP it doesnt work.

And before we used the AP55 on XG Firewall and we had a different setting.

LAN Bridge into the Client VLAN and Separated Zone with own DCHP for the Guest on the old XG.

That was quite easy to configure