This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP55Cs + SG135, need a guest SSID that can access ONE specific LAN resource, cannot fathom how!

I have a pair of AP55Cs controlled by an SG135 in a branch office. All works well, guest network for phones on different dhcp range configured by wizard, plus a 'staff' SSID with bridged access to LAN resources - DHCP for the lan happens to also run on the firewall as there are no servers there (branch office).

I now have a requirement for guests to be able to access one PC. It is one running an appleTV/screenCast/project server software and is hooked to a giant TV. That software must initially announce itself to clients by broadcasting on it's subnet, so I need a new wifi for guests that can be on same LAN network as that PC, be able to talk to said PC (on fixed IP), but not get to anything else.

If I had old fashioned access points and SSID separating things with vlans and separate dhcp servers I'd happily set up firewall rules on the routing device between the networks to allow things from the relavent range for the guest2<->SpecificPC_IP. But I can't quite work out how to do it with the SG135 + AP55Cs, hopefully I just don't quite get how the WLAN 'interface' really works or am missing a trick somewhere.

If I create a new dhcp range for the WLAN interface, it will only allow it to be on the same subnet as is defined on the interface, and is hence different to the LAN - so the broadcasts wont get to clients. If I setup the SSID to be 'bridged to LAN' and hence let it have an IP on the LAN, I could get the traffic working, but that network would also be able to EVERYING on the LAN as the wifi clients would get unknown IPs on the LAN segment and so I couldn't build a rule to shape their traffic.

Thanks!!



This thread was automatically locked due to age.
  • Hi, Danny, and welcome to the UTM Community!

    Think of the wlan# objects as NICs, and this may become simple for you...

    Have you tried a simple firewall rule with your existing guest WLAN?

    Guest (Network) -> {Any or a Service Group?} ->SpecificPC_IP : Allow

    If that doesn't work, try adding a similar rule in the other direction, switching the Guest subnet to one that neighbors the one in which the Apple TV lives and hard-coding the subnet mask in the TV to one that includes both subnets (might work, but I'm not familiar with the Apple TV).

    A firewall rule won't work for a broadcast to a separate subnet though.  If you put a new Guest2 WLAN in place bridged to the interface connected to the SpecificPC_IP, no firewall rule should be necessary.

    If these suggestions don't get you where you want to go, please provide more detail about the TV's "broadcast" requirement.  Then again, these firewall/router questions may be better asked of the entity that supplied the TV.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Since you need broadcast traffic you are right that you need to be in the same physical subnet as your cast device. However if this is the same subnet where your local PC's also reside (and need to be in) than I think this is not manageble from within UTM.

    I think you could do something with ie. a Cisco switch as your LAN switch and then configure Acces Lists on the Cisco switch to allow clients to only access this device.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.