I have an XG 125 firewall running SFOS 17.5.11.
Attached to this on the LAN interface (Port 1) is an unmanaged switch. Connected to the switch are a number of wired devices such as printers, and a number of Ubiquiti Unifi wireless APs. The APs have two different SSIDs. One of the SSIDs is used for restricted access based on time of day. There is a schedule applied so that it can only be accessed at certain times. This is all managed through the Unifi Controller.
I now want to be able to control access between devices connected to the restricted SSID and devices that are connected via ethernet or the unrestricted SSID.
The only way I can see to make this work is via VLANs and firewall rules to apply the restrictions.
My idea is to add a VLAN for devices on the restricted SSID. The Unifi Controller and APs allow me to add a VLAN tag to individual SSIDs. So I have added the VLAN tag ID of 2 to the restricted SSID.
What I know need to know is how to define the VLAN on the XG.
I have tried to add a VLAN interface on Port 1 in the LAN zone. The Port 1 is currently configured with IP 10.10.0.1/24. With DHCP for part of this range and static assignments for specific devices.
I have tried a couple of ways to add a VLAN on Port 1, with a VLAN ID of 2.
The first way was to add the VLAN with an IP of 10.10.1.1/24, and DHCP for part of this range.
The second way was to extend the IP range of the interface in Port 1 to 10.10.0.1/23 and then add the VLAN with an IP of 10.10.1.1/24.
In both cases, a wireless device can connect to the restricted SSID on a Unifi AP, but then fails to get an IP address.
Any assistance to get this working would help.
Your first way should work/ is correct.
Every (VALN-) Interface need his own Subnet.
Do you configure VLAN at the switch / Ap too? How?
If you configure the IP manually ... you are able to ping the default gateway (the Sophos XG-Interface)?
This has helped me. Thanks.
I have the VLAN configured the first way again. I have extended the IP range for the main LAN interface on Port 1 to be 10.10.0.1/22. I have added the VLAN interface on Port 1 with VLAN ID of 2 and IP of 10.10.4.1/24. I have DHCP set on this interface as 10.10.4.2 - 10.10.4.254.
The VLAN is configured on the APs through the Unifi Controller. For the SSID I want as restricted, I set the VLAN tag to be 2.
I do not have a managed switch, so no tagging possible there. So all wired devices will not be tagged and any wireless devices on the unrestricted SSID will not be tagged. Unless I need to add wired devices to a VLAN, I don't think I need to get a managed switch.
I have configured the IP manually on a device connected to the restricted SSID, set to 10.10.4.2. From this device I can ping 10.10.4.1. I can also ping 10.10.0.1.
I have added a firewall rule to allow WAN access for 10.10.4.2 and I can access the internet from the device.
I have also added a firewall rule to allow 10.10.4.2 to access a specific IP on main LAN (10.10.3.201) and that is working, while all other LAN devices are not visible to 10.10.4.2.
So I am happy that I have been able to set up restricted access the way I want with firewall rules.
But what do I need to do to get DHCP working on the VLAN? I do not want to have to manually configure IP addresses for all devices that will connect to the restricted SSID.
I solved the problem I was having.
The device that I was connecting to the VLAN already had a static mapping assigned to its MAC in the DHCP config for the 10.10.0.1/22 interface. So XG was not assigning a dynamic IP when that MAC was connecting to the SSID with the VLAN tag for 10.10.4.1/24 interface.
If I add a static mapping for the MAC to the 10.10.4.1/24 interface, then the device gets an IP address when connecting to the SSID with the VLAN tag for 10.10.4.1/24 interface.
Also, if I remove the static mapping for the MAC from both interfaces, then the device gets an appropriate IP when connecting to either SSID.
So what XG cannot cope with is a MAC address getting an IP via a static mapping when connected to one VLAN, but getting a dynamic IP when connected to another VLAN. Maybe that could be a future enhancement.
glad you solved this. The feature request you are looking for has been around for some time eg a real DHCP server linked to the DNS.