This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using a VLAN to control traffic on the LAN


I have an XG 125 firewall running SFOS 17.5.11.

Attached to this on the LAN interface (Port 1) is an unmanaged switch. Connected to the switch are a number of wired devices such as printers, and a number of Ubiquiti Unifi wireless APs. The APs have two different SSIDs. One of the SSIDs is used for restricted access based on time of day. There is a schedule applied so that it can only be accessed at certain times. This is all managed through the Unifi Controller.

I now want to be able to control access between devices connected to the restricted SSID and devices that are connected via ethernet or the unrestricted SSID. 

The only way I can see to make this work is via VLANs and firewall rules to apply the restrictions.

My idea is to add a VLAN for devices on the restricted SSID. The Unifi Controller and APs allow me to add a VLAN tag to individual SSIDs. So I have added the VLAN tag ID of 2 to the restricted SSID.

What I know need to know is how to define the VLAN on the XG.

I have tried to add a VLAN interface on Port 1 in the LAN zone. The Port 1 is currently configured with IP With DHCP for part of this range and static assignments for specific devices.

I have tried a couple of ways to add a VLAN on Port 1, with a VLAN ID of 2.

The first way was to add the VLAN with an IP of, and DHCP for part of this range.

The second way was to extend the IP range of the interface in Port 1 to and then add the VLAN with an IP of

In both cases, a wireless device can connect to the restricted SSID on a Unifi AP, but then fails to get an IP address.

Any assistance to get this working would help.



This thread was automatically locked due to age.
  • Your first way should work/ is correct.

    Every (VALN-) Interface need his own Subnet.

    Do you configure VLAN at the switch / Ap too? How?

    If you configure the IP manually ... you are able to ping the default gateway (the Sophos XG-Interface)?


  • Hi Dirk

    This has helped me. Thanks.

    I have the VLAN configured the first way again. I have extended the IP range for the main LAN interface on Port 1 to be I have added the VLAN interface on Port 1 with VLAN ID of 2 and IP of I have DHCP set on this interface as -

    The VLAN is configured on the APs through the Unifi Controller. For the SSID I want as restricted, I set the VLAN tag to be 2.

    I do not have a managed switch, so no tagging possible there. So all wired devices will not be tagged and any wireless devices on the unrestricted SSID will not be tagged. Unless I need to add wired devices to a VLAN, I don't think I need to get a managed switch.

    I have configured the IP manually on a device connected to the restricted SSID, set to From this device I can ping I can also ping

    I have added a firewall rule to allow WAN access for and I can access the internet from the device.

    I have also added a firewall rule to allow to access a specific IP on main LAN ( and that is working, while all other LAN devices are not visible to

    So I am happy that I have been able to set up restricted access the way I want with firewall rules.

    But what do I need to do to get DHCP working on the VLAN? I do not want to have to manually configure IP addresses for all devices that will connect to the restricted SSID.



  • I solved the problem I was having.

    The device that I was connecting to the VLAN already had a static mapping assigned to its MAC in the DHCP config for the interface. So XG was not assigning a dynamic IP when that MAC was connecting to the SSID with the VLAN tag for interface.

    If I add a static mapping for the MAC to the interface, then the device gets an IP address when connecting to the SSID with the VLAN tag for interface.

    Also, if I remove the static mapping for the MAC from both interfaces, then the device gets an appropriate IP when connecting to either SSID.

    So what XG cannot cope with is a MAC address getting an IP via a static mapping when connected to one VLAN, but getting a dynamic IP when connected to another VLAN. Maybe that could be a future enhancement.



  • Hi,

    glad you solved this. The feature request you are looking for has been around for some time eg a real DHCP server linked to the DNS.


    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.