Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 15437 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need some guidance on wireless setup

Bill Roland

Hi all,

I am going to be deploying some AC55C's and need some guidance on what is the best method to achieve what I am after.  

I have a hub and spoke network connected with 5 different sites connected via Metro-Ethernet links, and an XG210 at the main site that serves internet for all.  Each site has its own subnet.  Data VLAN is 1.  

What I would like to achieve is have a "corporate" SSID where the company assets connect (like company laptops, tables, executive's cell phones, etc) that can "see" all the resources on the LAN and is also prioritized appropriately, and a "guest" SSID for visitors to the premises and employees personal phones that is isolated from seeing the company LAN resources and also traffic is prioritized lower; I don't want guests and low priority wireless traffic clogging my WAN and internet links.  

I had ASSumed that the way to go about this was to create a corporate SSID and bridge that to the AP LAN, and create a "guest" SSID and bridge that to a VLAN I would create especially for guest WiFi traffic so I could limit it via ACL's and de-prioritize the traffic in my routers, but I realized in the course of this that I don't really know how these AP's work with the XG and perhaps I should look at creating a separate "Zone" instead of bridging it to a VLAN.  

The help guide doesn't really provide any deep conceptual explanations and the KnowledgeBase didn't reveal what I was looking for either.  

If anyone could chime in I'd appreciate it.  Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi there!  So yeah, for you I'd say for your WiFi networks:

    Company_WiFi: Bridge to AP LAN

    Guest_WiFi: Separate Zone

    You'll have to create the Zone first in Network\Zones.  You could use the existing WiFi zone for guests, since your Company_WiFi will be in the LAN zone (with the bridge to AP LAN).  You can also assign ports or VLANs on the XG to those zones (in Network\Interfaces).  So you could make the Guest_WiFi it's own VLAN AND Zone.  And connect up some ports on a switch with that specific VLAN and give it its own DHCP service(s) and make the ports in your conference room go to the Guest VLAN + Zone.  Zones let you build better Firewall rules, IMO.  VLANs are still good for extra protection to make it more difficult for systems to hop zones by their IP definition.

    Does this help?

  • 0 in reply to Chris Shipley

    This was very helpful and I really appreciate it, thanks.

    If I may ask a follow up question in regards to using a Zone for the guest APs; the AP's will be broadcasting the same SSID (Guest_WiFi for example) in multiple different physical locations on different subnets.  In the Wireless Network setup I see that I have to assign it an IP address and this creates a network interface.  How does this traffic get back to the XG across a routed network; is it tunneled across the network?  If its not, I'm going to need some way to assign different subnets to the different AP's so the traffic gets routed correctly across my network.  

  • 0 in reply to Bill Roland

    Bill,

    please provide a network diagram so we can better understand your needs.

    Thanks

  • 0 in reply to lferrara

    Bill,

    please provide a network diagram so we can better understand your needs.

    Thanks

     

    Hi Luk, yeah, I should have included a diagram.  Here is a crude diagram showing what I've got.  The idea is for each of the sites to have Sophos AP's, and within each site, I'd like an SSID that bridges to the AP LAN for "company" traffic and a guest SSID that is on VLAN 2 for guest low priority traffic and to keep the guest traffic segmented from my company LAN.

  • 0 in reply to Bill Roland

    How are the connections made between branch offices to the HQ?  You may want to investigate using Sophos Cloud control for the WiFi Access Points.  I'd be hard pressed to make this work if the private WAN links shown here aren't managed by Sophos XG firewalls.  It's not designed to be able to manage WiFi access points that aren't local.  It -CAN- but the private WAN links need to pass all the appropriate traffic.  Sophos RED devices make that rather simple, but I'm not sure it would be simple here.

    Also, you don't need separate WiFi Access Points for Guests vs Corporate, you just need to define multiple SSIDs per access point.

  • 0 in reply to Chris Shipley

    All the sites in question are connected via Metro-Ethernet circuits with Adtran routers at each end.    

    Right, I'm just using a single AP for different SSID's (SSID for guest, SSID for corp).  

  • 0 in reply to Bill Roland

    So looking back at the diagram, you'd need to do some IP scheme changes to make it work, if the AddTran devices are passing the correct traffic (may need to talk to your provider).  Through your provider, could you make all VLAN2 networks across all sites use the same subnet, maybe a /23 or /22?

  • 0 in reply to Bill Roland

    Bill,

    thanks for the info. Who is performing the DHCP on remote sites?

    How do you manage the magic ip (1.2.3.4) from remote site to UTM?

    Thanks

  • 0 in reply to Chris Shipley

    I'm really interested to see how this could work.  In my mind, the easiest path would be the Sophos Cloud controller for WiFi on this one.  That retails for about $100/WAP/yr

Reply Children
  • +1 in reply to Chris Shipley

    Chris,

    this depends on how the remote sites forward the 1.2.3.4 ip to XG at HQ. Once the AP starts, it grabs an IP address from the DHCP server within the broadcast domains and then try to reach XG 1.2.3.4 IP to register it and receive the proper IP. So each AP can bridge to AP LAN or VLAN if a dhcp server exists at each location or if a layer 3 device sends the 1.2.3.4 to XG at HQ.

  • 0 in reply to lferrara

    Gentlemen, thank you for the additional discussion and sharing your knowledge.  

    The idea is/was to setup a DHCP Relay agent on the Adtran's to relay DHCP requests to a Windows DHCP server.  Having said that, I can also create a DHCP server on the AdTran routers themselves and it appears I can set different DHCP relay destinations per VLAN, so I could set the DHCP Relay option on the WiFi VLAN to forward to the XG.