Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 2417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest WLAN Options with non Sophos AP

Sally

Hello,

 

I have on my UTM 4 Ports in use, LAN, WAN, DMZ1, and DMZ2. I have an Access Point (non Sophos) in the LAN Network. As i  understand, i cant use the Sophos Access Point Management for my AP. I would like to setup an Guest Network so separate this Network from the LAN Segement, and setup different Firewall Rules.

 

As all the Ports are used on my Sophos, what would be the Option to setup the Guest Network?

 

Thx

Sally



This thread was automatically locked due to age.
Parents
  • 0

    Vlan's would be your best option.  I use 2 rt-ac68u equivalents (one real, other a netgear r7000 flashed with merlin's firmware fork) in opposite corners of the house.  Both have a guest wifi with limit web use configured.  This guest wifi is bound to a vlan separate from the main wifi binding.  By default, I believe guest wifi only uses a different ssid, but the network ip assignments are in the same subnet as nonguest wifi (which defeats the purpose of having guest wifi in the first place!@#).

    Anyway, the setup was convoluted.  I had to define separate vlans on the rt, along with ebtables commands to isolate the guest wifi from the any guests on the same wired vlan.

    Read more here - https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410 , posts by gpz1100

  • 0 in reply to Jay Jay

    Hi Jay Jay,

     

    thanks for the Information. I was wondering If I can setup the VLAN on the DDWRT Router, and control the access on the Sophos UTM with the Firewall. All the Ports on the Sophos UTM are connected, and the AP Point has an Internal LAN Address. Can I change the Internal LAN Ethernet on the Sophos to Ethernet VLAN?

     

    When changing to Ethernet VLAN (LAN Network) do I need also a managed Switch for this, to to set Internal Traffic as untagged, and traffic from DDWRT Guest WLAN to tagged ?

     

    Thx

    Sally

  • 0 in reply to Sally

    I'm unfamiliar with how to set up vlan's using ddwrt. You'll need to do further research.  On this end, UTM does handle everything else, dhcp, dns, etc for the vlan.  On utm define a vlan interface as a subinterface of the lan interface. You'll need to treat it as an independent interface, establishing masquerading , add it to web filtering and other functions (dns, dhcp, etc).

    You'll also need to pass it through the network somehow.  I have all vlans tagged off the main internal interface.  There's several switches (rt-ac68u's and r7000) in the home network.  Each has vlan0 as untagged and everything else tagged.  You'll have to bridge the guest wifi with the tagged vlan in ddwrt.  I don't recall being successful with ddwrt, which is why I ultimately reverted to merlin's firmware.

     

  • 0 in reply to Jay Jay

    Thanks Jay Jay for the Information. I have no Physical Port free anymore on my UTM. When I change the Ethernet LAN Interface to VLAN and set a VLAN Tag, does the Interface also still allow untagged traffic from the LAN, or just Tagged Traffic?

     

    Thx

    Sally

  • 0 in reply to Sally

    Hi Sally,

    when you add a vlan tag to an interface it will only transport tagged traffic. You can define multiple vlan-interfaces on one physical interface. You can use a managed switch to connect utm interface holding the vlan interfaces tu a trunk port of your switch and forward packets of a certain vlan untagged to all or some defined ports of the switch.

    Cheers

    Philipp

Reply
  • 0 in reply to Sally

    Hi Sally,

    when you add a vlan tag to an interface it will only transport tagged traffic. You can define multiple vlan-interfaces on one physical interface. You can use a managed switch to connect utm interface holding the vlan interfaces tu a trunk port of your switch and forward packets of a certain vlan untagged to all or some defined ports of the switch.

    Cheers

    Philipp

Children
No Data
Unfiltered HTML