Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 1927 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using a VLAN to control traffic on the LAN

DJ Hay

Hi,

I have an XG 125 firewall running SFOS 17.5.11.

Attached to this on the LAN interface (Port 1) is an unmanaged switch. Connected to the switch are a number of wired devices such as printers, and a number of Ubiquiti Unifi wireless APs. The APs have two different SSIDs. One of the SSIDs is used for restricted access based on time of day. There is a schedule applied so that it can only be accessed at certain times. This is all managed through the Unifi Controller.

I now want to be able to control access between devices connected to the restricted SSID and devices that are connected via ethernet or the unrestricted SSID. 

The only way I can see to make this work is via VLANs and firewall rules to apply the restrictions.

My idea is to add a VLAN for devices on the restricted SSID. The Unifi Controller and APs allow me to add a VLAN tag to individual SSIDs. So I have added the VLAN tag ID of 2 to the restricted SSID.

What I know need to know is how to define the VLAN on the XG.

I have tried to add a VLAN interface on Port 1 in the LAN zone. The Port 1 is currently configured with IP 10.10.0.1/24. With DHCP for part of this range and static assignments for specific devices.

I have tried a couple of ways to add a VLAN on Port 1, with a VLAN ID of 2.

The first way was to add the VLAN with an IP of 10.10.1.1/24, and DHCP for part of this range.

The second way was to extend the IP range of the interface in Port 1 to 10.10.0.1/23 and then add the VLAN with an IP of 10.10.1.1/24.

In both cases, a wireless device can connect to the restricted SSID on a Unifi AP, but then fails to get an IP address.

Any assistance to get this working would help.

Thanks

David



This thread was automatically locked due to age.
Parents
  • 0

    Your first way should work/ is correct.

    Every (VALN-) Interface need his own Subnet.

    Do you configure VLAN at the switch / Ap too? How?

    If you configure the IP manually ... you are able to ping the default gateway (the Sophos XG-Interface)?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk

    This has helped me. Thanks.

    I have the VLAN configured the first way again. I have extended the IP range for the main LAN interface on Port 1 to be 10.10.0.1/22. I have added the VLAN interface on Port 1 with VLAN ID of 2 and IP of 10.10.4.1/24. I have DHCP set on this interface as 10.10.4.2 - 10.10.4.254.

    The VLAN is configured on the APs through the Unifi Controller. For the SSID I want as restricted, I set the VLAN tag to be 2.

    I do not have a managed switch, so no tagging possible there. So all wired devices will not be tagged and any wireless devices on the unrestricted SSID will not be tagged. Unless I need to add wired devices to a VLAN, I don't think I need to get a managed switch.

    I have configured the IP manually on a device connected to the restricted SSID, set to 10.10.4.2. From this device I can ping 10.10.4.1. I can also ping 10.10.0.1.

    I have added a firewall rule to allow WAN access for 10.10.4.2 and I can access the internet from the device.

    I have also added a firewall rule to allow 10.10.4.2 to access a specific IP on main LAN (10.10.3.201) and that is working, while all other LAN devices are not visible to 10.10.4.2.

    So I am happy that I have been able to set up restricted access the way I want with firewall rules.

    But what do I need to do to get DHCP working on the VLAN? I do not want to have to manually configure IP addresses for all devices that will connect to the restricted SSID.

    Thanks

    David

  • +1 in reply to DJ Hay

    I solved the problem I was having.

    The device that I was connecting to the VLAN already had a static mapping assigned to its MAC in the DHCP config for the 10.10.0.1/22 interface. So XG was not assigning a dynamic IP when that MAC was connecting to the SSID with the VLAN tag for 10.10.4.1/24 interface.

    If I add a static mapping for the MAC to the 10.10.4.1/24 interface, then the device gets an IP address when connecting to the SSID with the VLAN tag for 10.10.4.1/24 interface.

    Also, if I remove the static mapping for the MAC from both interfaces, then the device gets an appropriate IP when connecting to either SSID.

    So what XG cannot cope with is a MAC address getting an IP via a static mapping when connected to one VLAN, but getting a dynamic IP when connected to another VLAN. Maybe that could be a future enhancement.

    Regards

    David

  • 0 in reply to DJ Hay

    Hi,

    glad you solved this. The feature request you are looking for has been around for some time eg a real DHCP server linked to the DNS.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to DJ Hay

    Hi,

    glad you solved this. The feature request you are looking for has been around for some time eg a real DHCP server linked to the DNS.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML