Guest Wifi with Sophos XG and Unifi APs

Question

Hello, 
 I hope someone can help me with this. 
 
 We currently have a LAN network with XG 135 and 2 Unifi controllers/switches with 10 Unifi APs connected. 
 We currently have LAN network (192.168.99.0/24) and WLAN configured with Unifi Controllers and APs, so devices can be connected to our corporate LAN network via ethernet or via wireless. 
 
 After that, I needed to create a separated WLAN (192.168.88.0/24) for guests, so noone in this GuestWifi can access any device in LAN network. 
 So, to get that, I created a new VLAN with ID 100 (Port1.100) in sophos in zone WIFI . I don&acute;t know if this is the best way to separate the corporate lan and guest wireless lan. Let me know if I should set the Zone to LAN. 
 
 After that, I created the DHCP with the range 192.168.88.33 - 192.168.88.55 
 
 Then, in Hosts and services I created the group ip range 192.168.88.0/24 
 
 Then, I have configured the firewall rule to allow the traffic from Wifi to WAN. 
 After that, I have configured the new VLAN 100 in Unifi Controllers. 
 
 and a new wireless for the guess clients with this new VLAN. 
 
 After all this configuration, I can see the ssid new wireless from my wireless devices but when I try to connect it gets stuck in obtaining IP from DHCP which is provided by sophos XG passing through the Unifi controllers. 
 Can anyone help with this? 
 Thanks in advance. 
 Best regards

Greenie · Accepted Answer

Hello, 
 My first thoughts are it'll be the tagging on the switches. Our corporate network is untagged and the guests networks are tagged, so we need to allow both tagged and untagged traffic on the ports the XG and AP's use as well as any trunk ports, uplinks etc. You could temporarily allow all ports on the switches to be untagged for corporate and tagged to the VLAN for guest if your configuration is the same, to check if that's the issue. If you have a tagged corporate network, you could allow all the tags you use on all ports. 
 
 I'll post a few pics of my config, it may help, it may not. I have 2 sites, 2 XG's, 2 controllers, corporate, guest and visitor networks at the main site and corporate and guest at the second office. VLAN's setup for the guest and visitor networks. The only ports open are for the visitor network for the hotspot code authentication on the main office. 
 I'll show some snips from the second office as there's less going on. I haven't done anything with the networks on the UniFi controller, it still has the default corporate LAN network on it, it doesn't match what we have as our internal network. It's unnecessary to do anything with it in this configuration. 
 
 Our wireless network is setup like this, nothing special 
 
 The VLAN setup under the XG network tab 
 
 The DHCP setup for the guest network 
 
 The host entry for the guest network 
 
 The firewall rules

rfcat_vk · Answer

Correct, it is a very open rule and does not offer much protection. 
 Ian