Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10432 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to configure printing from WLAN to LAN connected network printers?

alozzy

I have to be honest and state that the Sophos UTM OS is much more intuitive than SFOS. I can't think of a single configuration that's easier to setup on SFOS vs UTM.

Anyways, I have the built-in Wifi AP on a XG125w configured as follows:

  • Using default "Sophos" wireless network, which is configured for the "LAN" zone by default
  • "Bridge to AP LAN" mode
  • Client isolation is disabled
  • Wireless protection is enabled in the wireless global settings
  • Allowed zone is set to LAN and WiFi in the wireless global settings

I also have a LAN to LAN firewall rule configured, to allow connections between any source and any destination for any service. Since the global wireless settings "allowed zone" includes the LAN zone, I presume this should be enough to allow a Wifi client on the 10.0.6.0/24 subnet to access an IP printer on the LAN (192.168.0.0/24). My understanding with the SFOS 17.0.5 MR-5 firmware is that I don't need to manually bridge the Wifi interface to the LAN. I did notice that under the AP settings -> Advanced section there is a slider labeled "Bridge to Ethernet" but presumably this isn't needed for "Bridge to AP LAN" mode? Documentation is unclear.

Unfortunately, I'm doing this configuration remotely so I'm not able to directly test connectivity from the Wifi network to the printers.

Have I overlooked anything to get this to work? Is it necessary to setup static routing between the 10.0.6.0/24 and 192.168.0.0/24 subnets?



This thread was automatically locked due to age.
  • 0

    alozzy,

    first of all, the Bridge to AP lan depends on Firmware version:

    https://community.sophos.com/kb/en-us/122789

    then why do you have different IP on the same physical wire?

    This is not correct at all. Make sure to create proper zone, vlan or assign different physical port.

    Regards

  • 0 in reply to lferrara

    Thanks for replying Luk!

    I have firmware vSFOS 17.0.5 MR-5 and I did see those instructions previously. My settings match those under the heading "Firmware version 16.05.7 MR7 onward".

    The internal AP's interface IP is 10.0.6.1/24 - that must be a default setting from when the firewall was first configured via the deployment wizard (original firmware, older than 16.05.6 MR6), as I did not configure that IP manually.

    I think you are saying that the AP IP address needs to be on the 192.168.0.0/24 subnet, correct? If I change the AP's IP to 192.168.0.254 (or whatever), will the existing DHCP scope (associated with the 192.168.0.0/24 subnet) automatically start handing out leases to Wifi clients?

    Ideally, for security reasons, I don't want the Wifi clients on the same subnet as the LAN, I'd prefer to have a separate subnet and only allow printing traffic to the LAN from the WLAN. So, I think I want to use the "Separate Zone" option for client traffic. However, it's not clear to me how I would then allow printing traffic between the new Wifi zone (apparently a virtual interface gets created automatically) and the LAN.

    This, from the admin guide:

    Next Steps for Separate Zone Networks:

    This page describes how to configure a seperate zone network. When you add a wireless network with the option Separate Zone, a new corresponding virtual hardware interface will be added automatically, e.g., wlnet1.

    To be able to use the wireless network, some further manual configuration steps are required.

    1. Enable DHCP for the wireless clients. For your clients to be able to connect to Sophos XG Firewall, they need to be assigned an IP address and a default gateway. Therefore, on the Protect > Network > DHCP page, set up a DHCP server for the interface

    2. Create a network policy on the Policies page to provide Internet access to the wireless clients. You can now assign the wireless network to the AP at Protect > Wireless > Access Points"

    With respect to the "Bridge to VLAN" client traffic option, apparently that's not possible for internal APs, only for external ones. Here's the relevant excerpt from the admin guide:

    Bridge to VLAN (not available for local WiFi devices)" (page 407 of admin guide).

  • +1 in reply to alozzy

    alozzy,

    you should use Separate network option. XG will create proper interface and then you need to create firewall rule from Wi-FI zone to LAN and allow needed traffic rule.

    http://docs.sophos.com/nsg/sophos-firewall/v16055/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/WPNetworkManageSeparateZone.html

    Also I advice you to update to MR5.

    Regards

  • 0 in reply to lferrara

    As mentioned before, I'm already running SFOS 17.0.5 MR-5

    I'll give the "Separate Network" option a go, thanks for your help!