Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 24570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I setup a Guest LAN access via a seperate interface?

TheNorthern_Light

Hello,

I'm looking to setup a separate Guest Wifi AP with direct Internet access with some QoS to limit bandwidth usage (We don't have the best upload, so it needs to be limited).

I've got a full private network with its own Wifi AP.  However, we just acquired a second Apple Wifi Extreme AP, that I would like to use solely as a Guest Wifi AP.

Here is what I have done so far:

My UTM Has two unused Ethernet Ports.

I have setup one as a "Guest Network" Interface with an IP of 10.0.1.1 (My Internal network is a 192.168.x.x). 

I have it directly wired to my Apple Extreme AP (ip: 10.0.1.2), I have setup DHCP on the AP for a range of 10.0.1.100-150, subnet 255.255.255.0, DNS 8.8.8.8 / 8.8.4.4, gateway 10.0.1.1.

I can connect with no problems, however I keep getting an IP from my INTERNAL DHCP server, instead of the AP.

I have tried setting a firewall :

Guest Network > Internal = DROP

Guest Network > Internet IPv4 = HTTP, HTTPS, SMTP SSL, DNS, allowed.

NAT: Guest Network (Network) > External (WAN)

Yet, after all this, I'm still able to see my internal network, and get an IP from my internal network.  

How do I setup a separate interface to forward all traffic directly to the internet, and apply a QoS to that interface ONLY ?



This thread was automatically locked due to age.
  • 0

    Although it doesn't directly answer the question you ask, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob for the document.

    Its now working.

  • 0 in reply to TheNorthern_Light

    In fact, you really can't limit uploads with QoS if the Guest network is allowed to use the proxy.  If you discover that you do need to do QoS, you will need to exclude the Guest network from the Proxy so that you can use a Traffic Selector of 'External (Address) -> Web Surfing -> Internet' with a Bandwidth Pool guaranteeing up to 95% of your bandwidth to proxy users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm actually not using a proxy.  The fact that the users are going physically straight from a standalone wifi ap (Airport Extreme), and I'm dropping literally ALL traffic to my internal network, I didn't feel a need to use a proxy for guests.

  • 0 in reply to BAlfson

    I got the download to work..... but I suspect your correct about the upload (which I can live with).

    I needed a traffic selector of ANY < ANY > ANY, 

    A Bandwidth pool of 1024 kbit/s

    and download throttle set to 1024 kbit/s

    Once I enabled that, QoS seems to be working (albeit only on download, but at least its something).

  • 0 in reply to BAlfson

    Hi Bob,

    Would you be king to send me your document please. We have non Sophos Wireless guest access (Cisco AP)  and would like to be able to perform some kind of self registration against the Sophos, is this possible? We are also looking at the lobby admin on the Cisco side but it is limited, username cannot fit some email addresses :(

     

    Regards

Unfiltered HTML