Dear all,
I have read chapter 15 in following guide:
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/utm9506_manual_eng.pdf?la=en
I would like to be assured that the setup I have in mind makes sense in order to achive desired goal.
GOAL: Have 2 separate SSIDs, one for general public/visitors to access internet only protected with PSK, the other to access company resources and protected with RADIUS (RADIUS server already configured). The SSID accessing company resources can be in same VLAN as other LAN clients or does not have to (does not matter).
What I have in mind:
Create SSID for guest WLAN with Client traffic -> Separate Zone option. Afterwards, abide to page 458 of abovementioned guide. Guest clients will have separate subnet with all what is needed (interface, DHCP, NAT, etc.).
Create company WLAN SSID for employees with Client traffic -> Bridge to AP LAN or Bridge to AP VLAN. Then, DHCP, firewalling etc. needs to be taken care of in terms of particular LAN or VLAN (depending on the option I choose).
Questions:
- does this seem as reasonable setup to you?
- in case of separate zone (guest WLAN) described above, how is it achieved that AP can broadcast multiple subnets despite the fact that its LAN has assigned only one address and VLANs aren't used - is it something similar like CAPWAP or LWAPP tunneling in Cisco world?
- in case of company WLAN Bridged to AP LAN, how does the Sophos UTM know with which interface to bridge?
- in case latter mode (Bridge to AP VLAN) is selected, then virtual interface pertaining to particular VLAN needs to be configured in advance with appropriate VLAN tagging and that's all? On the side of the network, do I need to have trunks configured?
- Is it possibe to have company WLAN in VLAN and guest WLAN in Separate Zone? How the network configuration would then look like - guest WLAN untagged and company WLAN tagged with particular WLAN?
Thank you in advance for answering my questions and understanding the core concepts behind UTM Wireless.
Best regards,
Z
This thread was automatically locked due to age.