Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 14141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest Wifi with Sophos XG and Unifi APs

Gonzalo Fernández

Hello, 

I hope someone can help me with this.

 

We currently have a LAN network with XG 135 and 2 Unifi controllers/switches with 10 Unifi APs connected.

We currently have LAN network (192.168.99.0/24) and WLAN configured with Unifi Controllers and APs, so devices can be connected to our corporate LAN network via ethernet or via wireless.

 

After that, I needed to create a separated WLAN (192.168.88.0/24) for guests, so noone in this GuestWifi can access any device in LAN network.

So, to get that, I created a new VLAN with ID 100 (Port1.100) in sophos in zone WIFI. I don´t know if this is the best way to separate the corporate lan and guest wireless lan. Let me know if I should set the Zone to LAN.

After that, I created the DHCP with the range 192.168.88.33 - 192.168.88.55

Then, in Hosts and services I created the group ip range 192.168.88.0/24

Then, I have configured the firewall rule to allow the traffic from Wifi to WAN.

After that, I have configured the new VLAN 100 in Unifi Controllers.

and a new wireless for the guess clients with this new VLAN.

After all this configuration, I can see the ssid new wireless from my wireless devices but when I try to connect it gets stuck in obtaining IP from DHCP which is provided by sophos XG passing through the Unifi controllers.

Can anyone help with this?

Thanks in advance.

Best regards



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Thanks for your reply, I did it, and still nothing, but maybe I need to restart the Unifi Switches to let them know that the VLAN zone has changed.

    I cannot do it yet as this is a production environment and there are a lot of people and devices connected.

    As soon as I can do it, I will let you know if it works, thanks in advance.

  • 0 in reply to Gonzalo Fernández
    Sorry, not in the office so only just seen the replies. It’s worth shutting down the XG if you are going to restart the switches. I’ve had it in the cyberoam days where the Firewall won’t pick up the VLAN settings until it’s been powered down. A restart wasn’t enough to make it work.
  • 0 in reply to Greenie

    I have restarted the Sophos XG 135 and it didn´t work.

    I am not getting DHCP. Now I have VLAN in LAN Zone but the devices connected to the Guest_Wifi created by Unify Controllers are not getting IP from the Sophos DHCP.

    Any idea?

  • 0 in reply to rfcat_vk

    Hello,

    thanks for your help.

    I changed the VLAN to LAN zone and after that I have restarted the unifi switches and Sophos XG 135 but still not working.

    The devices connected to the Guest_Wifi created by Unify Controllers are not getting IP from the Sophos DHCP. The devices are stuck "getting ip address".

    Any idea?

    Thanks in advance.

  • +1 in reply to Gonzalo Fernández

    Hello,

    My first thoughts are it'll be the tagging on the switches. Our corporate network is untagged and the guests networks are tagged, so we need to allow both tagged and untagged traffic on the ports the XG and AP's use as well as any trunk ports, uplinks etc. You could temporarily allow all ports on the switches to be untagged for corporate and tagged to the VLAN for guest if your configuration is the same, to check if that's the issue. If you have a tagged corporate network, you could allow all the tags you use on all ports.

     

    I'll post a few pics of my config, it may help, it may not. I have 2 sites, 2 XG's, 2 controllers, corporate, guest and visitor networks at the main site and corporate and guest at the second office. VLAN's setup for the guest and visitor networks. The only ports open are for the visitor network for the hotspot code authentication on the main office.

    I'll show some snips from the second office as there's less going on. I haven't done anything with the networks on the UniFi controller, it still has the default corporate LAN network on it, it doesn't match what we have as our internal network. It's unnecessary to do anything with it in this configuration. 

    Our wireless network is setup like this, nothing special

    The VLAN setup under the XG network tab

    The DHCP setup for the guest network

    The host entry for the guest network

    The firewall rules

  • 0 in reply to Greenie

    I have similar running. The non Sophos WIFI are in a seperate VLAN. This Vlan is in WIFI Zone too. 

    The important Point:

    You must define a DHCP Scope for both Interfaces in WIFI Zone

  • 0 in reply to Greenie

    Thanks Greenie for all your help.

    Your configuration helped me to see that the problem was in other point.

    After checking that my configuration was very similar to yours, I found out that the problem could be in the switches.

    We have a CPD room and I realiced that it could be failing after some changes we did in the rack.

    We change the order in some data switches so I realiced that the problem could be there.

    I wasn´t me who set these switches in the rack so I didn´t know how the switches were configured at the beginning.

    I think one of them doesn´t allow the trunk mode, or maybe it needs to be configured to allow this method.

    So what we did was, connect directly the sophos lan port to the unifi controller. As soon as we did it, it worked.

    the new wireless was able to get dhcp lease from the sophos. Everything working now.

    Thanks to everyone. 

     

    Next step is checking if we can set the vlan in the sophos in Wifi Zone instead of LAN zone. I would appreciate if someone could confirm if it is a good practice or even best practice.

     

    Thanks.

  • 0 in reply to rfcat_vk

    G'Day Ian,

    Hope you find this mail in good health

    I'm having a similar setup, have plugged in Ubiquit AP directly to Port 4 on Sophos XG

    Have set i as LAN with IP 10.1.1.254 ( static )

    Also configured DHCP for this network as  10.1.1.10 to 10.1.1.15

    Is it necessary to create IP host and a firewall rule for this network

    At the moment im able to connect to Internet via this AP ,but on IP is been leased from Sophos DHCP

    Is it because i have not configured IP host and firewall rule

    Cos for my other wired networks namely Port 1 and Port 3 , i have not created any separate firewall other than the default ones which are created by Sophos during initial setup and those Clients seem to get IP from Sophos DHCP , so im bit confused whether firewall rule is necessary for this new wireless network im trying to setup

     

    Appreciate your cooperation as always

     

    Thanks


    Raj

  • 0 in reply to Ruka

    Hi Raj,

    you will need to create a firewall rule for your new network range. The AP should obtain an address from your new IP lease range on that network.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thanks for your email , have created a new VLAN on Port 4 ( the port where Ubiquiti AP is plugged in )

    Also created DHCP scope as below

    IP Host as below

     

    Firewall rule as below BUT NOT Enabled

    On Unifi Controller configured VLAN 40 as below

     

    Clients are able to connect to the new wireless SSID , also able to access Internet.

    My question was even without the firewall rule enabled , they are able to connect

    Also DHCP lease seems to work as expected

    Please advise on why the firewall rule is not taking effect

    Appreciate your assistance as always

    Thanks


    Raj