Unify WIfi and GuestWifi with two VLANs and management interface

Question

Hi, 
 I managed to get two WLAN networks working on the Sophos XG using our existing Unify AP's. 
 Port4, zone wifi, static gateway address in the LAN range, LAN Relay 
 Port4.120 WifiGuest, DHCP server with IP address 192.168.120.x 
 Port4.121 Wifi, DHCP server IP address 192.168.121.x 
 
 Firewall rules allow the WifiGuest network access to a guest printer in the LAN, and the WAN. The Wifi has full access to the local LAN. 
 
 Sofar so good. However, For some reason there is no LAN connection on Port4. 
 The AP's are connected to an EdgeSwitch, with a trunk on port 1 connecting the Unlabeled Management interface, and the two VLAN's. The switch port 1 is connected to the Port4 of the Sophos. 
 I can get it to work by connecting a separate port of the EdgeSwitch to the LAN switch, but I would like to understand the configuration better, and I think it should be able to work with the Port4 interface. 
 Any suggestions?

LuCar Toni · Accepted Answer

XG and other products cannot handle such configs. 2 Interfaces in the same network is not supposed to work. If you want to have such a config, you need a Layer 2 Bridge. But you cannot place more than 1 VLAN on a bridge. 
 So this will not work at all. https://serverfault.com/questions/415304/multiple-physical-interfaces-with-ips-on-the-same-subnet 
 Would recommend to use another VLAN for Management and spread those VLAN via switch and not using untagged same network on 2 interfaces.

AADD · Answer

After reviewing what you posted. There doesn't seem to be anything wrong with your methodology as far as each interface being on its own subnet. 
 It sounds like you want to run a "provisioning" subnet for the UniFi APs and the UniFi Controller (the controller and APs don't really need to be on the same subnet). 
 If this is the case you can create a new zone called provisioning or whatever you want for organizational purposes and apply it to Port4, set your firewall rules for the desired traffic requirements, and ensure your switches are tagged and untagged appropriately. 
 I have a similar configuration, all unifi devices (ap and switches) are managed on an untagged provisioning subnet/zone, however my Unifi controller is public facing as I run multiple sites with it.

AADD · Answer

O I see it now, your Port4 and Port1 are on the same subnet for Port4. Follow my suggestion and create a new subnet for the provisioning network. 
 Unless I am missing something else?