Guest Wifi with Sophos XG and Unifi APs

Hi,

I expect you will need to change the zone type to LAN because wifi is only Sophos supported devices.

Ian

Hello,

thanks for your help.

I changed the VLAN to LAN zone and after that I have restarted the unifi switches and Sophos XG 135 but still not working.

The devices connected to the Guest_Wifi created by Unify Controllers are not getting IP from the Sophos DHCP. The devices are stuck "getting ip address".

Any idea?

Thanks in advance.

Hello,

My first thoughts are it'll be the tagging on the switches. Our corporate network is untagged and the guests networks are tagged, so we need to allow both tagged and untagged traffic on the ports the XG and AP's use as well as any trunk ports, uplinks etc. You could temporarily allow all ports on the switches to be untagged for corporate and tagged to the VLAN for guest if your configuration is the same, to check if that's the issue. If you have a tagged corporate network, you could allow all the tags you use on all ports.

I'll post a few pics of my config, it may help, it may not. I have 2 sites, 2 XG's, 2 controllers, corporate, guest and visitor networks at the main site and corporate and guest at the second office. VLAN's setup for the guest and visitor networks. The only ports open are for the visitor network for the hotspot code authentication on the main office.

I'll show some snips from the second office as there's less going on. I haven't done anything with the networks on the UniFi controller, it still has the default corporate LAN network on it, it doesn't match what we have as our internal network. It's unnecessary to do anything with it in this configuration. 

Our wireless network is setup like this, nothing special

The VLAN setup under the XG network tab

The DHCP setup for the guest network

The host entry for the guest network

The firewall rules

I have similar running. The non Sophos WIFI are in a seperate VLAN. This Vlan is in WIFI Zone too. 

The important Point:

You must define a DHCP Scope for both Interfaces in WIFI Zone

Thanks Greenie for all your help.

Your configuration helped me to see that the problem was in other point.

After checking that my configuration was very similar to yours, I found out that the problem could be in the switches.

We have a CPD room and I realiced that it could be failing after some changes we did in the rack.

We change the order in some data switches so I realiced that the problem could be there.

I wasn´t me who set these switches in the rack so I didn´t know how the switches were configured at the beginning.

I think one of them doesn´t allow the trunk mode, or maybe it needs to be configured to allow this method.

So what we did was, connect directly the sophos lan port to the unifi controller. As soon as we did it, it worked.

the new wireless was able to get dhcp lease from the sophos. Everything working now.

Thanks to everyone. 

Next step is checking if we can set the vlan in the sophos in Wifi Zone instead of LAN zone. I would appreciate if someone could confirm if it is a good practice or even best practice.

Thanks.

Thanks everyone, specially Greenie who offered good explanations.

Finally the problem was in one of the switches between the sophos and Unifi Switch. It didn´t allow the VLAN pass trough his self, so the Unifi controller didn´t receive the VLAN configured.

Once I replace the switch with other able to pass the VLANs configuration, everything started working. The configuration was perfect.

Thanks everyone, specially Greenie who offered good explanations.

Finally the problem was in one of the switches between the sophos and Unifi Switch. It didn´t allow the VLAN pass trough his self, so the Unifi controller didn´t receive the VLAN configured.

Once I replace the switch with other able to pass the VLANs configuration, everything started working. The configuration was perfect.