Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 2008 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up Guest network

Steve Cleveland

Device: XG 125

Firmware:SFOS 18.0.5 MR-5-Build586

I am new to Sophos, so I apologize if this is a simple question (I hope that it is!) or one that's been asked 100 times before.

I'm trying to setup a guest network. My goal is two fold.  One is to not allow access to our internal network.  The second is to have different policies.

I created a Zone called Guest that only has ping and DNS as available services.

I setup a vlan (br0.2) with vlan id of 2 called GuestVLAN. The Zone is set to Guest.

I setup a DHCP server for that network using the IP of the GuestVLAN for the gateway.

I created a firewall rule.  Source zone is Guest, destination is WAN.  There is no web filtering or other security features enabled.

The firewall rule is linked to a NAT rule with SNAT set to MASQ.

I have my downstream switch connected to port 1.  Port 5 on my switch is set to vlan 1 untagged, vlan 2 tagged.  Port 1 on the switch is set to vlan 2 untagged.

What happens is weird.  The laptop connected to port 1 on the switch (vlan 2 untagged) gets an IP in the Guest network IP range.  I can ping outside sites (8.8.8.8 for instance) as well as resolve DNS names.  But using a web browser generally doesn't work.  Sites (like arstechnica.com) just timeout.  I can ping those sites just fine.  To further complicate things, sites do sometimes load.  I tried rolling back to SFOS 18.0.4 and sites did load initially, but now they are not.

When I look at the Log Viewer, I see allowed rules to different IPs from that guest network, so it appears to be allowing things through.  Though I do see some "Could not associate packet to any connection." entries, I see them for the internal network as well.

I'm just not sure how to troubleshoot this.  The internal network is working fine.

And am I totally over thinking this?  I know the APs can generate their own 'guest' network on the default VLAN.  I'm just not sure how that can keep a guest out of the internal network.



This thread was automatically locked due to age.
  • 0

    Hi,

    I think you answered your own question with the one line that says ping and DNS only.

    Why are you using br0.2 also lan 2 on the port connected to the XG should be tagged.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    When I look at instructions for setting up a zone, it seems settings like HTTPS and SSH specify if that zone can access the admin interface.  It's not general services that the zone can perform.

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/DeviceAccessLocalServiceACL.html

    Maybe I'm totally misunderstanding what those zone services do?

    For br0.2, I need data to go out one interface to my downstream switches.  br0 is the port group that is set to use all of the non-WAN ports on the router.   Then I added the vlan to it.

    The uplink port on the downstream switch does have vlan 2 tagged.  It's untagged on the port connected to the laptop.  DHCP is working on the laptop, so I think the switch setup is correct?

     - Steve

  • 0 in reply to Steve Cleveland

    Hi Steve,

    you are correct, though you will need to add the proxy if you wish to enforce policies on the guests.

    A simple diagram of your network will help because I am confused as to how you have the XG functioning as a switch and connected to another switch?

    Ian

  • 0 in reply to rfcat_vk

    My day job includes enterprise network gear.  Cisco, Comware, Aruba.  You typically use trunk ports to interconnect switches.  All of the VLANs are tagged.  If you have a firewall between groups, you assign each to a VLAN so traffic has to flow back through the routing device and through that firewall.  I do consulting for this small business (30 people in an old 4 story house).  They have switches and APs on multiple floors and in a neighboring building.  Their existing router (an old Peplink Balance router) uses the concepts I'm used to.  I set port 1 to be tagged for VLANs 1 and 2.  The downstream switch has the uplink port also set as tagged for vlans 1 and 2.  For a 'normal' workstation port on the downstream switch, it's set as vlan 1 untagged.  For AP ports, I want to send both vlans to it.  They end up VLAN 1 untagged and VLAN 2 tagged.  VLAN 2 is used for the guest network and there are firewall rules on the peplink to only allow access to the internet.

    I'm trying to do something similar with the Sophos.  I don't see any concept in the Sophos UI to set the default network (which appears to be '1') to be tagged.  I also don't see any way to set it on a per-port basis (like I want port 3 to be VLAN 2 untagged so I can test the guest network). 

    The VLAN stuff all appears to be working.  On my downstream switch (just a little 5 port netgear on my dining room table at the moment), I can assign ports to VLANs and get DHCP addresses.  I even setup an AP with a guest network set to VLAN 2 and my laptop gets an IP in the proper IP range for the guest network.  So I think that part is working as well.

    I think there's just some concepts on the XG that I'm struggling with.  I see that the APs (in Sophos Central) can be set to create their own guest network (on the default vlan?).  Is that what I should be doing instead of messing around with additional VLANs?  Should I be doing something different with zones?  

    Here is the simple diagram you asked for.  This is the same setup I'm currently using with the old router.  Just changing VLAN 1 from tagged to untagged on the uplink port between the router and Switch A.