This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Asking for Help to Configure Wireless Network

I just replaced our old Apple "AirPorts" with Sophos AP 100C access points. When I enabled Wireless Protection I did the following:

  • Enabled Wireless Protection with "Internal" as the allowed interface.
  • Created a matching wireless network, Bridged to the AP LAN, which is our internal network, the same LAN where the access points are connected.
  • Activated the access points, set the 2.4 and 5 Ghz channels to match the Apple access points they replaced to minimize interference with each other and nearby unrelated "neighbor" access points.

At this point, we have the equivalent of our previous wireless network. For a laptop;, using the WiFi is functionally equivalent to an Ethernet connection on the internal LAN.

The next steps are to add two new SSIDs (wireless networks): one for Guests and one for wireless appliances (e.g., the kitchen oven, the TV sets, etc.). Those wireless networks must be blocked from seeing or knowing about the LAN, but should still be able to connect to the internet through the firewall. I assume that I must create two new DHCP servers for the two new networks. 

QUESTION:
-> How do I choose between "Separate Zone" AND "Bridge to VLAN"? 

There is a warning about MTU being reduced if Separate Zone is chosen. Otherwise, I am trying to understand the difference and the implication of choosing one over the other.

Please share your experience and advice regarding the best way to setup these Guest and Appliance wireless networks, isolated from the LAN. It will be most appreciated. 

P.S. The access points are connected to the UTM via unmanaged switches. Each access point is connected to a small unmanaged switch, to share the single Ethernet jack with other devices in the room. The Ethernet cables from the rooms all join together in my office closet at a larger unmanaged switch, which is connected to the LAN port on the UTM.



This thread was automatically locked due to age.
Parents Reply Children
  • Look at the built-in UTM documentation under Wireless Protection > Wireless Networks. I found it in my UTM version 9.711-5.

    Scroll down to Client traffic, then Separate Zone, and finally the "Note - " under Separate Zone, which talks about encapsulation and MTU reduction.

    You can also find it by scrolling halfway down this page:

    https://docs.sophos.com/nsg/sophos-utm/utm-on-aws/9.708/help/en-us/Content/utm/utmAdminGuide/WirelessNetworks.htm

  • From the link provided:

    Separate zone (default): The wireless network is handled as a separate network with the specified IP address range.

    When you create a network as a separate zone, Sophos UTM on AWS creates a corresponding VXLAN tunnel. All traffic from the separate zone network is sent to Sophos UTM on AWS using the Virtual Extensible LAN (VXLAN) protocol. VXLAN is a virtual tunnel that encapsulates layer 2 Ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:

    • Use Bridge to AP LAN or Bridge to VLAN.
    • If you must use a separate zone, lower the MTU value on users' endpoint devices.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Here are the relevant statements from my UTM 9.711-5:

    • Separate zone (default): The wireless network is handled as a separate network with the specified IP address range.

      When you create a network as a separate zone, Sophos UTM creates a corresponding VXLAN tunnel. All traffic from the separate zone network is sent to Sophos UTM using the Virtual Extensible LAN (VXLAN) protocol. VXLAN is a virtual tunnel that encapsulates layer 2 Ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:

      • Use Bridge to AP LAN or Bridge to VLAN.
      • If you must use a separate zone, lower the MTU value on users' endpoint devices.

      If you select Separate zone, after adding the wireless network, continue your setup as described in the section below (Next Steps for Separate Zone Network).

      Note – When switching an existing Separate Zone network to Bridge to AP LAN or Bridge to VLAN, already configured WLAN interfaces on Sophos UTM will be disabled and the interface object will become unassigned. However, you can assign a new hardware interface to the interface object by editing it and thus re-enable it.

    • Bridge to AP LAN: You can bridge a wireless network into the network of an access point, that means that wireless clients share the same IP address range.

      For Local WiFi Device: To create a Bridge to AP LAN you need to edit the Local WiFi Device on the Wireless Protection > Access Points > Overview tab and enable bridged to AP LAN. In addition, you need to create a new interface on the Interfaces & Routing > Interfaces > Interfaces tab and select the bridge. You also need to have a DHCP server on the Network Services > DHCP > Servers tab so that the client can receive an IP.

      Note – If VLAN is enabled, the wireless clients will be bridged into the VLAN network of the access point.

    • Bridge to VLAN (not available for Local WiFi Devices): You can decide to have this wireless network's traffic bridged to a VLAN of your choice. This is useful when you want the access points to be in a common network separate from the wireless clients.

      Bridge to VLAN ID: Enter the VLAN ID of the network that the wireless clients should be part of.

      Client VLAN ID (only available with an Enterprise encryption mode): Select how the VLAN ID is defined:

      • Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.
      • RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server: When users connect to one of your wireless networks and authenticate at your RADIUS server, the RADIUS server tells the access point what VLAN ID to use for each user. Thus, when using multiple wireless networks, you can define per user who has access to which internal networks. For users who have not a VLAN ID attribute assigned, the VLAN ID defined in the Bridge to VLAN ID field will be used.

    and

    Next Steps for Separate Zone Networks

    When you created a wireless network with the option Separate Zone, a new corresponding virtual hardware interface will be created automatically, e.g., wlan0. To be able to use the wireless network, some further manual configuration steps are required. Proceed as follows:

    1. Configure a new network interface.

      On the Interfaces & Routing > Interfaces > Interfaces tab create a new interface and select your wireless interface (e.g., wlan0) as hardware. Make sure that type is “Ethernet” and specify the IP address and netmask of your wireless network.

    2. Enable DHCP for the wireless clients.

      For your clients to be able to connect to Sophos UTM, they need to be assigned an IP address and a default gateway. Therefore, on the Network Services > DHCP > Servers tab, set up a DHCP server for the interface.

    3. Enable DNS for the wireless clients.

      For your clients to be able to resolve DNS names they have to get access to DNS servers. On the Network Services > DNS > Global tab, add the interface to the list of allowed networks.

    4. Create a NAT rule to mask the wireless network.

      As with any other network you have to translate the wireless network's addresses into the address of the uplink interface. You create the NAT rule on the Network Protection > NAT > Masquerading tab.

    5. Create one or more packet filter rules to allow traffic from and to the wireless network.

      As with any other network you have to create one or more packet filter rules to allow the traffic to pass Sophos UTM, e.g., web surfing traffic. You create packet filter rules on the Network Protection > Firewall > Rules tab.