Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 16889 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unifi AP & Switch, VLAN Guest Network

ccanv

Hi All,

I am fairly new to the world of "Sophos". I need some help in setting up a guest WLAN on a VLAN through my Sophos XG 330. I have several unifi switches deployed and then connected to them are unifi access points. (I do not have unifi USG) I successfully setup a VLAN network on the unifi controller with VLAN tag 2 then I selected only my "guest network" WLAN on my access point to be overridden by that same VLAN tag and then setup a VLAN on the sophos XG with VLAN 2 linked to the same physical LAN port of my network, Then I started a DHCP server for that VLAN on the sophos XG and voila! or so I thought.

 

Everything works... kinda .. I connect to my guest network with my cellphone and I get an IP address from the DHCP server with correct range and default router (gateway). However I do not have internet access at all and my phone, which usually would say when an access point does not have internet access, does not say that at all. But again I still have no internet access. 

Please let me know what step I missed do I need a separate firewall rule ? 

Also by default unifi switch ports are trunked already.

Let me know if you need more information 

 

Thank You.



This thread was automatically locked due to age.
  • 0

    What zone is your guest wifi located in. Do you have a rule for your zone and network (with a NAT) to go out to the Internet.

     

    Hope this helps

    -Ron

  • 0 in reply to rrosson

    Hi,

     

    Its on my LAN zone, how would I make a new rule with the XG firewall ?

  • 0 in reply to ccanv

    Can you please post your firewall rule(s) showing your guest network?

     

    Pictures are worth a thousand words.  :)

    -Ron

  • 0 in reply to rrosson

    Hi,

     

    As I said above I do not have a firewall rule for the guest network per say. When I click on "firewall" and then add user/network rule, I would assume to just make a rule to forward all VLAN traffic to the WAN port but there is no option to select my VLAN as the source zone.

  • 0 in reply to ccanv

    Also why would I need o create a new rule when the VLAN port was created on my LAN port which already has a rule from LAN to WAN and when I go into that rule it says LAN with members, Port 1 & Port 1.2 (the VLAN) so why isn't the traffic going out to WAN (internet) ? 

  • 0 in reply to ccanv

    If I am reading this correctly you have something like this for a User/Network rule:

     

    Source ZONE: LAN   Source Networks: ANY   Destination ZONE: WAN  Destination Networks: ANY   Services: Any  (Under advanced you should have "Rewrite source address (Masquerading)" Checked).

     

    If you do try doing the following:

    • Change Source Network to the subnet you have on Port1.
    • Duplicate the rule from previous step.
    • Change Source Network to the subnet you have on Port1.2

     

    Hope this helps.

    -Ron

  • 0 in reply to rrosson

    Thank you for the great info.

    I actually got it working yesterday. I had everything correct on the XG side. Where I screwed up was in the unifi settings, I had the captive portal checked and the server where the portal is located is on a different subnet than my VLAN. So basically it was like I can connect you and give you an address but no internet because your not authenticated. 

  • 0 in reply to ccanv

    No worries, I have been there done that.  :)

     

    Glad to hear that you got it working.