This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP55Cs + SG135, need a guest SSID that can access ONE specific LAN resource, cannot fathom how!

I have a pair of AP55Cs controlled by an SG135 in a branch office. All works well, guest network for phones on different dhcp range configured by wizard, plus a 'staff' SSID with bridged access to LAN resources - DHCP for the lan happens to also run on the firewall as there are no servers there (branch office).

I now have a requirement for guests to be able to access one PC. It is one running an appleTV/screenCast/project server software and is hooked to a giant TV. That software must initially announce itself to clients by broadcasting on it's subnet, so I need a new wifi for guests that can be on same LAN network as that PC, be able to talk to said PC (on fixed IP), but not get to anything else.

If I had old fashioned access points and SSID separating things with vlans and separate dhcp servers I'd happily set up firewall rules on the routing device between the networks to allow things from the relavent range for the guest2<->SpecificPC_IP. But I can't quite work out how to do it with the SG135 + AP55Cs, hopefully I just don't quite get how the WLAN 'interface' really works or am missing a trick somewhere.

If I create a new dhcp range for the WLAN interface, it will only allow it to be on the same subnet as is defined on the interface, and is hence different to the LAN - so the broadcasts wont get to clients. If I setup the SSID to be 'bridged to LAN' and hence let it have an IP on the LAN, I could get the traffic working, but that network would also be able to EVERYING on the LAN as the wifi clients would get unknown IPs on the LAN segment and so I couldn't build a rule to shape their traffic.

Thanks!!



This thread was automatically locked due to age.
Parents
  • Hi, Danny, and welcome to the UTM Community!

    Think of the wlan# objects as NICs, and this may become simple for you...

    Have you tried a simple firewall rule with your existing guest WLAN?

    Guest (Network) -> {Any or a Service Group?} ->SpecificPC_IP : Allow

    If that doesn't work, try adding a similar rule in the other direction, switching the Guest subnet to one that neighbors the one in which the Apple TV lives and hard-coding the subnet mask in the TV to one that includes both subnets (might work, but I'm not familiar with the Apple TV).

    A firewall rule won't work for a broadcast to a separate subnet though.  If you put a new Guest2 WLAN in place bridged to the interface connected to the SpecificPC_IP, no firewall rule should be necessary.

    If these suggestions don't get you where you want to go, please provide more detail about the TV's "broadcast" requirement.  Then again, these firewall/router questions may be better asked of the entity that supplied the TV.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Danny, and welcome to the UTM Community!

    Think of the wlan# objects as NICs, and this may become simple for you...

    Have you tried a simple firewall rule with your existing guest WLAN?

    Guest (Network) -> {Any or a Service Group?} ->SpecificPC_IP : Allow

    If that doesn't work, try adding a similar rule in the other direction, switching the Guest subnet to one that neighbors the one in which the Apple TV lives and hard-coding the subnet mask in the TV to one that includes both subnets (might work, but I'm not familiar with the Apple TV).

    A firewall rule won't work for a broadcast to a separate subnet though.  If you put a new Guest2 WLAN in place bridged to the interface connected to the SpecificPC_IP, no firewall rule should be necessary.

    If these suggestions don't get you where you want to go, please provide more detail about the TV's "broadcast" requirement.  Then again, these firewall/router questions may be better asked of the entity that supplied the TV.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data