Setting up Guest network

Hi,

I think you answered your own question with the one line that says ping and DNS only.

Why are you using br0.2 also lan 2 on the port connected to the XG should be tagged.

Ian

Hi Ian,

When I look at instructions for setting up a zone, it seems settings like HTTPS and SSH specify if that zone can access the admin interface.  It's not general services that the zone can perform.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/DeviceAccessLocalServiceACL.html

Maybe I'm totally misunderstanding what those zone services do?

For br0.2, I need data to go out one interface to my downstream switches.  br0 is the port group that is set to use all of the non-WAN ports on the router.   Then I added the vlan to it.

The uplink port on the downstream switch does have vlan 2 tagged.  It's untagged on the port connected to the laptop.  DHCP is working on the laptop, so I think the switch setup is correct?

 - Steve

Hi Steve,

you are correct, though you will need to add the proxy if you wish to enforce policies on the guests.

A simple diagram of your network will help because I am confused as to how you have the XG functioning as a switch and connected to another switch?

Ian

Hi Steve,

you are correct, though you will need to add the proxy if you wish to enforce policies on the guests.

A simple diagram of your network will help because I am confused as to how you have the XG functioning as a switch and connected to another switch?

Ian

My day job includes enterprise network gear.  Cisco, Comware, Aruba.  You typically use trunk ports to interconnect switches.  All of the VLANs are tagged.  If you have a firewall between groups, you assign each to a VLAN so traffic has to flow back through the routing device and through that firewall.  I do consulting for this small business (30 people in an old 4 story house).  They have switches and APs on multiple floors and in a neighboring building.  Their existing router (an old Peplink Balance router) uses the concepts I'm used to.  I set port 1 to be tagged for VLANs 1 and 2.  The downstream switch has the uplink port also set as tagged for vlans 1 and 2.  For a 'normal' workstation port on the downstream switch, it's set as vlan 1 untagged.  For AP ports, I want to send both vlans to it.  They end up VLAN 1 untagged and VLAN 2 tagged.  VLAN 2 is used for the guest network and there are firewall rules on the peplink to only allow access to the internet.

I'm trying to do something similar with the Sophos.  I don't see any concept in the Sophos UI to set the default network (which appears to be '1') to be tagged.  I also don't see any way to set it on a per-port basis (like I want port 3 to be VLAN 2 untagged so I can test the guest network). 

The VLAN stuff all appears to be working.  On my downstream switch (just a little 5 port netgear on my dining room table at the moment), I can assign ports to VLANs and get DHCP addresses.  I even setup an AP with a guest network set to VLAN 2 and my laptop gets an IP in the proper IP range for the guest network.  So I think that part is working as well.

I think there's just some concepts on the XG that I'm struggling with.  I see that the APs (in Sophos Central) can be set to create their own guest network (on the default vlan?).  Is that what I should be doing instead of messing around with additional VLANs?  Should I be doing something different with zones?  

Here is the simple diagram you asked for.  This is the same setup I'm currently using with the old router.  Just changing VLAN 1 from tagged to untagged on the uplink port between the router and Switch A.