VLAN or network group?

Hello.  I'm a LONG time lurker and first time poster.  I have UTM 9 firewall and unifi AP.  I had sophos AP before but crapped out on me.  With sophos AP, I never had this problem before.  I have TONS of VLANs, from guest VLAN, local WLAN, kids VLAN, management VLAN, IOT VLAN, Media VLANs, etc and with corresponding SSIDs.  The problem with Unifi AP is I can only do like 4 SSID, and they warn that I will have performance penalty if I have more.  So my questions are.

1.  If I make a network group in the same subnet, Will they be able to talk/ping each other, or do I explicitly put I firewall rule for them not to see/talk to each other?

2.  Can I create different VLAN in the same subnet like Vlan 10, Vlan 20, Vlan 30 etc, with 1 SSID broadcasting the network?

I read about a VLAN assigned authentication using a RADIUS server but that is too advanced for a non-network engineer, home user like me.  If you also have an advice on how to proceed with this, please do so.  Thanks in advance.

  • Hello eiji,

    Q1: What do you mean by "a network group on the same subnet"? ... I do not understand

    Q2. depending on the WIFI vendor.... Wifi-AP must send the Wifi client to the specified VLAN ID depending on some information. Subnet size and mask are irrelevant


    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • My setup before is different vlans with different subnets and their own ssid, 10.10.20/24 and such. Since unifi ap is limited with number of ssids, I’m planning to just use one network and not separate my devices on vlans. So all will be on But, I’m planning to create a static address on each of my devices and separate them into “network groups” under network and definitions. My concern is they still might be able to talk to each other unless I explicitly put a reject rule on the firewall. 

    My other question to simplfy, is there any way for different vlans to be on 1 SSID, or is there any way for a wifi AP to route clients based on MAC address to certain vlan, but using 1SSID only.


  • 1. using / firewalling multiple IP-ranges within one subnet should be possible

    2. 1 SSID= 1 VLAN // MAC based routing ... i think not possible


    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi and welcome to active participation in the UTM Community!

    Sounds like a better solution would be a used Sophos AP .

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yup.  I never had a problem until my AP100C crapped out.  One SSID per vlan.  Thanks for your reply.

  • I guess I'll just do the first one.  I tried doing freeradius with dynamic assigned VLAN, but there's more headache.  Thanks again for your reply.