Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 14127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest Wifi with Sophos XG and Unifi APs

Gonzalo Fernández

Hello, 

I hope someone can help me with this.

 

We currently have a LAN network with XG 135 and 2 Unifi controllers/switches with 10 Unifi APs connected.

We currently have LAN network (192.168.99.0/24) and WLAN configured with Unifi Controllers and APs, so devices can be connected to our corporate LAN network via ethernet or via wireless.

 

After that, I needed to create a separated WLAN (192.168.88.0/24) for guests, so noone in this GuestWifi can access any device in LAN network.

So, to get that, I created a new VLAN with ID 100 (Port1.100) in sophos in zone WIFI. I don´t know if this is the best way to separate the corporate lan and guest wireless lan. Let me know if I should set the Zone to LAN.

After that, I created the DHCP with the range 192.168.88.33 - 192.168.88.55

Then, in Hosts and services I created the group ip range 192.168.88.0/24

Then, I have configured the firewall rule to allow the traffic from Wifi to WAN.

After that, I have configured the new VLAN 100 in Unifi Controllers.

and a new wireless for the guess clients with this new VLAN.

After all this configuration, I can see the ssid new wireless from my wireless devices but when I try to connect it gets stuck in obtaining IP from DHCP which is provided by sophos XG passing through the Unifi controllers.

Can anyone help with this?

Thanks in advance.

Best regards



This thread was automatically locked due to age.
  • 0

    Hi,

    I expect you will need to change the zone type to LAN because wifi is only Sophos supported devices.

    Ian

  • 0

    Silly question but as it's not been mentioned above, have you set the VLAN tags on the switch/switches?

     

    I have a similar setup with UniFi AP's -  3 x SSID's - corporate network with DHCP from the domain controller, guest and visitor + hotspot access networks with DHCP being handled by the XG. 2 VLAN's setup and set to LAN zones, not WiFi zones. It all works fine

  • 0 in reply to Greenie

    Thanks for your reply and sorry as I am new with Unifi switches.

    Where can I find it to check it?

  • 0 in reply to rfcat_vk

    Thanks for your reply, I did it, and still nothing, but maybe I need to restart the Unifi Switches to let them know that the VLAN zone has changed.

    I cannot do it yet as this is a production environment and there are a lot of people and devices connected.

    As soon as I can do it, I will let you know if it works, thanks in advance.

  • 0 in reply to Gonzalo Fernández
    Sorry, not in the office so only just seen the replies. It’s worth shutting down the XG if you are going to restart the switches. I’ve had it in the cyberoam days where the Firewall won’t pick up the VLAN settings until it’s been powered down. A restart wasn’t enough to make it work.
  • 0 in reply to Greenie

    I have restarted the Sophos XG 135 and it didn´t work.

    I am not getting DHCP. Now I have VLAN in LAN Zone but the devices connected to the Guest_Wifi created by Unify Controllers are not getting IP from the Sophos DHCP.

    Any idea?

  • 0 in reply to rfcat_vk

    Hello,

    thanks for your help.

    I changed the VLAN to LAN zone and after that I have restarted the unifi switches and Sophos XG 135 but still not working.

    The devices connected to the Guest_Wifi created by Unify Controllers are not getting IP from the Sophos DHCP. The devices are stuck "getting ip address".

    Any idea?

    Thanks in advance.

  • +1 in reply to Gonzalo Fernández

    Hello,

    My first thoughts are it'll be the tagging on the switches. Our corporate network is untagged and the guests networks are tagged, so we need to allow both tagged and untagged traffic on the ports the XG and AP's use as well as any trunk ports, uplinks etc. You could temporarily allow all ports on the switches to be untagged for corporate and tagged to the VLAN for guest if your configuration is the same, to check if that's the issue. If you have a tagged corporate network, you could allow all the tags you use on all ports.

     

    I'll post a few pics of my config, it may help, it may not. I have 2 sites, 2 XG's, 2 controllers, corporate, guest and visitor networks at the main site and corporate and guest at the second office. VLAN's setup for the guest and visitor networks. The only ports open are for the visitor network for the hotspot code authentication on the main office.

    I'll show some snips from the second office as there's less going on. I haven't done anything with the networks on the UniFi controller, it still has the default corporate LAN network on it, it doesn't match what we have as our internal network. It's unnecessary to do anything with it in this configuration. 

    Our wireless network is setup like this, nothing special

    The VLAN setup under the XG network tab

    The DHCP setup for the guest network

    The host entry for the guest network

    The firewall rules

  • 0 in reply to Greenie

    I have similar running. The non Sophos WIFI are in a seperate VLAN. This Vlan is in WIFI Zone too. 

    The important Point:

    You must define a DHCP Scope for both Interfaces in WIFI Zone

  • 0 in reply to Greenie

    Thanks Greenie for all your help.

    Your configuration helped me to see that the problem was in other point.

    After checking that my configuration was very similar to yours, I found out that the problem could be in the switches.

    We have a CPD room and I realiced that it could be failing after some changes we did in the rack.

    We change the order in some data switches so I realiced that the problem could be there.

    I wasn´t me who set these switches in the rack so I didn´t know how the switches were configured at the beginning.

    I think one of them doesn´t allow the trunk mode, or maybe it needs to be configured to allow this method.

    So what we did was, connect directly the sophos lan port to the unifi controller. As soon as we did it, it worked.

    the new wireless was able to get dhcp lease from the sophos. Everything working now.

    Thanks to everyone. 

     

    Next step is checking if we can set the vlan in the sophos in Wifi Zone instead of LAN zone. I would appreciate if someone could confirm if it is a good practice or even best practice.

     

    Thanks.