Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 9982 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unify WIfi and GuestWifi with two VLANs and management interface

Pieter van Kampen

Hi,

I managed to get two WLAN networks working on the Sophos XG using our existing Unify AP's.

Port4, zone wifi, static gateway address in the LAN range, LAN Relay

Port4.120 WifiGuest, DHCP server with IP address 192.168.120.x

Port4.121 Wifi, DHCP server IP address 192.168.121.x

 

Firewall rules allow the WifiGuest network access to a guest printer in the LAN, and the WAN. The Wifi has full access to the local LAN.

 

Sofar so good. However, For some reason there is no LAN connection on Port4. 

The AP's are connected to an EdgeSwitch, with a trunk on port 1 connecting the Unlabeled Management interface, and the two VLAN's. The switch port 1 is connected to the Port4 of the Sophos. 

I can get it to work by connecting a separate port of the EdgeSwitch to the LAN switch, but I would like to understand the configuration better, and I think it should be able to work with the Port4 interface.

Any suggestions?



This thread was automatically locked due to age.
Parents
  • 0

    Basic Question is, do you see on tcpdump on Shell any communication?

    So advanced Shell (SSH - 5 - 3) 

    tcpdump -ni Port4 

    There you should see some packets. You should see the VLAN untagged packets as well as the tagged packets (as kinda encrypted packets). 

  • 0 in reply to LuCar Toni

    Thanks for your help. 

    I see lots of traffic, but it is hard for me to distinguish the VLAN tagged and untagged traffic, as I am not a network expert. 

    What I do see is that the Wifi-WAN traffic is using the firewall rule for wifi, not the firewall rule for LAN, leaving the correct port Por4.121. So my conclusion is that the Wifi traffic is going over that port, but the management traffic is not.

     

     

  • 0 in reply to Pieter van Kampen

    Lets start with the basics.

    ifconfig shows you all interfaces (plus vlan interfaces).

    So you see Port4 as well as Port4.120 and Port4.121.

    So you can basically use tcpdump -ni Port4.120 to see all the tagged traffic going to your interface with VLAN tag on it. 

    Also possible is to sniff the traffic without those thing and instead using a little trick.

    https://serverfault.com/questions/196250/tcpdump-capture-one-of-several-vlans

    tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

     

     

    Most of the time, those issues are not XG related, instead the Switch has some issues in the config of VLANs. 

Reply
  • 0 in reply to Pieter van Kampen

    Lets start with the basics.

    ifconfig shows you all interfaces (plus vlan interfaces).

    So you see Port4 as well as Port4.120 and Port4.121.

    So you can basically use tcpdump -ni Port4.120 to see all the tagged traffic going to your interface with VLAN tag on it. 

    Also possible is to sniff the traffic without those thing and instead using a little trick.

    https://serverfault.com/questions/196250/tcpdump-capture-one-of-several-vlans

    tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

     

     

    Most of the time, those issues are not XG related, instead the Switch has some issues in the config of VLANs. 

Children
  • 0 in reply to LuCar Toni

    Thanks!

    Lots of traffic going over Port4. The VLAN's are not the problem, they work fine. The problem is the management of the AP's behind Port4. 

    I understand the problem may well be at the switch, but if I ask them, they will tell me to look at the firewall, so I thought I start here to find out if you see anything strange in my configuration. 

    I have configured the Port4 as  Zone Wifi, although it has a gateway address in the LAN range, as the AP's have an address in the LAN range. Maybe that is the problem?  How does trafic for 192.168.0.21 know it has to go to Port4 rather than Port1? I can change it to Zone LAN, but won't that have the same problem?

    There is a firewall rule allowing all traffic from and to Wifi - LAN.

  • 0 in reply to Pieter van Kampen

    Can you give us some screenshots of the config of your interfaces etc? 

  • 0 in reply to LuCar Toni

    Interfaces:

    Zones

    DHCP Wifi (WifiGuest is similar)

    LAN DHCP Relay (not sure this is needed, I actually don't think so, the AP's have fixed IP addresses

     

    The Unify controller is on the LAN, and needs to access the AP's for them to function. The AP's are connected to a Unify switch to power them

    Port 1 of the EdgeSwitch is connected to Port 4 of the Sophos, Port 5 to the LAN Switch. Without Port5 it is not working

    VLANs on the EdgeSwitch:

  • +1 in reply to Pieter van Kampen

    XG and other products cannot handle such configs. 2 Interfaces in the same network is not supposed to work. If you want to have such a config, you need a Layer 2 Bridge. But you cannot place more than 1 VLAN on a bridge. 

    So this will not work at all. https://serverfault.com/questions/415304/multiple-physical-interfaces-with-ips-on-the-same-subnet

    Would recommend to use another VLAN for Management and spread those VLAN via switch and not using untagged same network on 2 interfaces.

  • 0 in reply to LuCar Toni

    Ow, thanks.

    I tried earlier with a bridge and 1 VLAN for the guest network, puting the in house Wifi without a VLAN on the bridge directly. But that did not work either. I understood that the VLAN that you add to the bridge becomes the VLAN interface of the LAN, instead of an extra interface.

    Anyway, in that case i keep the current situation, where the management interface goes through Port 5 of the Edgeswitch to the general LAN switch. Thanks for your patience.