This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I have one SSID bridged to AP LAN and one SSID bridged to VLAN?

Hello

Im trying to get the following working:

I want one SSID for access of the internal network (without vlan tagging, 192.168.43.xx) -> Bridge to AP LAN

And one SSID for our guest network (with vlan tag 40, 172.16.29.xxx) -> Bridge to VLAN

Now I want to enable this on our UTM 9.4 but its refusing his config.

Error

The VLAN settings of the access point 'xxx' conflicts with the client traffic option: 'Bridge to VLAN' of the SSID 'guestnet'.

enabling vlan tagging on ap:

The VLAN settings of the access point 'xxx' conflicts with the client traffic option: 'Bridge to AP LAN' of the SSID 'internalnet'.

In the manual on Page 435 i found the following:

<quote>

l Bridge to AP LAN: You can bridge a wireless network into the network of an access point, that means that wireless clients share the same IP address range.

Note – If VLAN is enabled, the wireless clients will be bridged into the VLAN network of the access point.

</quote>

but this isnt working?

Can anybody help me?

Thanks

Tobi



This thread was automatically locked due to age.
Parents
  • Tobi,

    I feel like this used to work without an issue before 9.4...  I just tried doing this yesterday on a device that was 9.4 and I receive the same error.  If you find anything out from support please advise the results.

    Thanks,
    Hugh

  • Yep, getting the same error here too. Can't setup an ssid with a native vlan and an ssid with a tagged vlan at the same time.

    I've even tried ssid with tagged and another ssid with tagged. results in the same.

  • OK, might have a result. Won't know until I'm back at work tomorrow.

    Set up as follows:


    SSID with Bridged to AP LAN <<< this is your normal setup. Instead, set this to "bridge to vlan" and enter vlan ID eg 1

    Under "Advanced", tick "vlan tagging" and put the same vlan ID in eg 1

    Now add your other SSID with "bridge to vlan" and enter Vlan ID eg 20

    The access point will now accept multiple vlans. I couldn't get it to do this before and I'm not sure it will work until I get to work and see if the clients have picked up leases etc.

  • You should not assign VLAN 1 in the UTM.  That is used by Wireless Protection, and is reserved.  Using VLAN 1 causes strange problems.  For example Problem with the communcation between default VLAN and custom VLANs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hello there

    i tried this already and it doesn't work. 

    i think its an bug in the utm software because the manual is clear about how to do it.

    to be honest i'm disappointed about the support that sophos (or should i say not) provided. they did follow up 1 time and then somebody replied and said its im at the wrong portal or something. if somebody of you know how to get real support feel free to try and please report back

    thanks 

    tobi

  • Good spot Bob. So to get this working as I have above, we can't really have a native vlan so if you are going to do ssid to vlan's, every network must be vlan tagged and you shouldn't use vlan1

  • I've enabled it remotely and could see that clients won't pick up a dhcp lease so as you say, I suspect it doesn't work. I'll have a little play tomorrow but to be honest, there isn't much you can change from what I've tried.

    We have premium support with Sophos which we've never used to date so that might be a path that I can look at.

  • As a long-time partner, I know that the hardest way to get help is to call Sophos Support.  A little better is entering a support request online.  Best, in my opinion, is to have a knowledgeable reseller that opens tickets for you.  Certified Architects like me have started many cases with Sophos Support, so we know several ways to get things started and how to get things escalated when appropriate.  I never recommend Premium Support to my clients, as they're better off spending much less on me and keeping me in the loop.  If I see a problem I can fix as fast as opening a case, I fix it for them immediately for no extra charge.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • As a long-time partner, I know that the hardest way to get help is to call Sophos Support.  A little better is entering a support request online.  Best, in my opinion, is to have a knowledgeable reseller that opens tickets for you.  Certified Architects like me have started many cases with Sophos Support, so we know several ways to get things started and how to get things escalated when appropriate.  I never recommend Premium Support to my clients, as they're better off spending much less on me and keeping me in the loop.  If I see a problem I can fix as fast as opening a case, I fix it for them immediately for no extra charge.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data