Configuring AP6 420 with VLANs

Dear Support,

We recently purchased an AccessPoint AP6 420 to extend our WiFi configuration.
Prior to that purchase, we had several AccessPoints APX model that were managed by our XGS3100 Firewall On Premise.
As the new AP6 must be configured through Sophos Central, we need some guidelines how to do this.

We will have 3 SSIDs on each access point.

 - HHINTERNAL => This is a bridge access to our default VLAN
 - HHPHONE => Clients connected to this SSID must be isolated from the rest of the devices and not have access to the local devices
 - HHGUEST => As before, clients are isolated. A captive portal will be displayed with use of vouchers

My question is, how do we configure such accesses ?
The AP (AccessPoint) will have an IP Address on the default VLAN in order to register to Sophos Central ?
When configuring Internet Access on the Firewall, are the APs on the "WiFi" zone or on the "LAN" zone ?
The APs receive an IP Address from our internal DHCP (Windows Server) or should the XGS3100 do the DHCP ?

The VLANs must be created on the switches only on also inside of the Firewall ?
Would it be possible to discuss implementation through some kind of schema and/or call ?

Thanks in advance for your cooperation.

Best regards,
Octavio Romano



Added TAGs
[edited by: Erick Jan at 12:17 AM (GMT -8) on 14 Nov 2024]
  • You can select between two general mode in AP6: VLAN or LAN Bridging. 
    VLAN Bridging gives you the option to segment the traffic on a firewall. For this to work, you have to configure the VLAN on every component between AP6 and Firewall (most likely the switch). 
    Then you can also use Guest Network, which activates a firewall on the Ap6 and only allows traffic to the internet. 
    I would always recommend to use Bridge to VLAN and do the segmentation on your firewall for all VLANs. 

    __________________________________________________________________________________________________________________