Hello, Everyone.
Hoping folks with more experience and knowledge can help me figure out what I haven't done correctly to facilitate Guest WiFi access with VLANing using Sophos XG, Ubiquiti switch and Ubiquiti Unifi APs. Hopefully, once I get this working, I can then apply the learnings and figure out what I am doing wrong to get an isolated IOT VLAN/WiFi network running as well. Seems my last hurdle to solving this puzzle is getting DHCP to work for my Guest Network clients
I found this thread and thought it would help because I also have a DHCP problem https://community.sophos.com/xg-firewall/f/discussions/117185/guest-wifi-with-sophos-xg-and-unifi-aps. This helped get me going, but I didn't end up having a hardware/switch issue like OP in this thread. I have been staring at this for hours and am sure I am missing some improper configuration somewhere that I am just not able to see.
Overview of current setup:
T-Mobile LTE modem in bridge mode
Sophos XG running 18.0.4 MR4
- WAN DHCP on port 2
- Private LAN 192.168.70.0/24 on port 3
- DMZ 192.168.99.0/24 on port 1
- Guest LAN 192.168.71.0/24 on port 5 with VLAN 71 (10.0.71.0/24)
Ubiquiti Unifi Cloud Key controller for managing switches and APs
Ubiquiti US-16-150W POE switch
- Port 7 is my uplink to port 3 on the XG
- port 11 is my link to port 5 on the XG
- port 13 is being used to test hardwire connectivity with my macbook since I can't get WIFi and DHCP to work.
Ubiquiti Unifi Nano HD APs
- Private WLAN: 192.168.70.0/24
- Guest WLAN: 10.0.71.0/24
Here is a diagram of how I have things setup currently. My macbook on the right side of the diagram is what I am using to test. When connected via Ethernet, manually setting MB to 10.0.71.11 because I can't get DHCP to work for both wireless and hardwired. I am able to ping the XG interface and am able to access the web as well.
I am able to reach my internal DNS and ping the VLAN interface and google. Seems weird to me that I can also ping the192.168.71.1 XG port address.
Steps I have done so far:
1. Build Guest VLAN 71 in XG and attached to LAN zone (192.168.71.1 for NIC and 10.0.71.1 for VLAN)
2. add DHCP for Guest VLAN using 10.0.71.0/24
3. add IP Host Network to use for FW rule using VLAN network 10.0.71.0/24
4. set up FW rule to allow host network to access WAN (also put DMZ in there to resolve DNS from my cache server)
I have stared at these configurations forever and as far as I can tell, and from all the posts I have read, I should have things setup correctly in the XG.
Now it was time to set things up on the switch side. This is probably where I am making a mistake. I understand VLANs conceptually, but don't have any practice in implementing or configuring them. To make things a bit steeper on the learning curve, it seems Ubiquiti does things a bit differently as it relates to tagging and trunking.
Here are the steps I took with the configurations.
1. created a Guest VLAN network in the Unifi controller. Used VLAN 71 to match what I built in the XG.
2. Built guest wireless network and assigned it to GuestVLAN71 network
3. built my switch port profiles.
4. Now I assigned the switch port profiles to the ports in the switch. Port 7, which is the upliink to the LAN port on XG. Didn't actually change anything here, just left switch port profile set to "all".
Port 11, which is the uplink to the VLAN port on the XG
port 13, which I am using to test via Ethernet with my Mac
I hope this is enough information for some more experienced members to help me figure out what I am doing incorrectly. Very much appreciate any help that can be afforded.
Thanks,
Scott
This thread was automatically locked due to age.
