Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client-Isolation across Accesspoints?

Hello, 

 

we are using 9 Sophos Access-Points accross our company. For the Main-Wifi-Network the Client isolation is disabled. 

However, we are facing the issue, that Clients that are connected to DIFFERENT AccessPoints can't access each other. 
If both Clients are connected to the same AccessPoint, everything works fine. 

(When connected to different accesspoints, another client being connected (wired) can access both, and both can access the

wired client) 

Seems to be some "Client-Isolation", but only when connected to different AccessPoints? 

Any Idea, which configuration setting to check? 

 

(UTM 9.510-5 )



This thread was automatically locked due to age.
  • Hi,

    please provide more information about your setup.

    What is the client-traffic mode for the affected Wifi (separate zone, bridge to vlan, bridge to lan)?

    If bridge-to-lan: are all Accesspoints in the same subnet?

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Hi,

    it's bridge to VLAN. In this Case the affected Wifi-Network is bridged to VLAN 1, wich is our default vlan. 


    (But all connections between the Wifi-AccessPoints and the switches are using VLAN-Tagging for every VLAN available) 

    I noted, that one of the clients is connected using 2.4 GhZ, while the other uses the 5GhZ Band. 

    Might this cause any issues in General? (Seen as different Wifis, Isolating clients?)

    For the tests we did with the same accesspoint, they both needed to use the 2.4 GhZ Band, cause that's only a AP15C.

    I will disable 5GhZ temporary for the other Accesspoints and see if that resolves the issue. 

  • How are you testing "access" between devices on different APs?  Do you see anything related in the Firewall log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

    i have the same problem.

    I use the AP in Bridge to LAN Modus.

    Is there a solution to fix the problem?

    Thanks a lot.

  • Markus said:

    Hello,

    i have the same problem.

    I use the AP in Bridge to LAN Modus.

    Is there a solution to fix the problem?

    Thanks a lot.

    Hey there, 

    for us the issue was, that clients that connect through different APs (and different Bands, i.e. 2.4 and 5 GhZ) can't see each other. (Even if we have disabled client isolation at all)
    If both are on different Accesspoints, but the SAME band, everthing is fine. (i.e. 2.4 to 2.4 and 5 to 5 is fine)

    this suggestion over here however seems to describe the problem the other way round: 
    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/34011193-client-isolation-between-clients-connected-to-same

    They have client isolation NOT working between different bands, only works on the same band. 

    So, guess there is at least something strange with how that feature is supposed to work and how it really works. 

  • hey,

    I switch the band to 2,4Ghz but still the same problem.

    no connection to the other clients. :-(

  • Hallo Markus and welcome to the UTM Community!

    Are you certain that you don't have 'Client isolation' enabled in the 'Advanced' section of the Wireless Network definition?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Thank you for the welcome.

    Yes, i do Double Check.

    Is disabled.

    It works if I connected with my phone on the same AP as the client. Ping and all are fine.

    If I connect to a different AP nothing work.

    Other client is not pingeble.

    Best regards

    Markus

  • Hey,

    It’s me again.

    I set the client isolation to enable -> save.

    Than back to disable-> save.

    Now it seems to work.

    Client connected to different AP are possible to ping.

    I will observe the next Day an we will see.

  • This feels like a bug, Markus.  Have your reseller open a case with Sophos Support and let us know what they say.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA