Putting APX320 and regular "LAN" on same network

As added detail, I do have a LAN to LAN rule with Accept in position #1.

Yes, you can do this. I believe it's called bridged mode or bridging one of your APX--based VLANs onto your LAN. I did this with the APX managed from the XGS and currently with the APX managed from Sophos Central Wireless, so it works either way. (Set up is, of course, different. You might have to delete and remake the SSID if you can't change it to be bridged.)

In Sophos Central Wireless, under the SSID, Advanced, Client Connection you can choose LAN (part of the LAN the AP's port is connected to) or VLAN. Similar on the XGS. (Except the XGS uses VXLANs rather than VLANs and the setup is more magical.) Then you'll bridge together the port the APX is on with the rest of your LAN.

So there are sort-of two "bridged" things: 1) your SSID being bridged onto the LAN on which the APX's connecting port exists, and 2) the port to which the APX connects being bridged together with the other ports that make up your LAN.

Thanks for the answer Wayne. I detect your skill level is likely much greater than mine with these Sophos units!

Under Wireless Networks, I've set up "Client Traffic" as "Bridge AP to LAN".

I've attached a screenshot of my Network panel.

Port 1 is LAN (Ethernet).
Port 11 is the PoE port, which is connected to the APX.
Port 2, is the WAN/Modem.

Currently, Port1 is 192.168.168.1/255.255.255.0, and Port 11 is 192.168.166.1/255.255.255.0.

Each range has its DHCP server.

I need to get both LAN and Wireless clients into 192.168.168.1/255.255.255.0.

This article states, that I shouldn't need to create a Bridge interface:

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/StartupHelp/Wireless/WirelessNetworkBridgeToLanConfigure/index.html

I tried giving the AP a static address of 192.168.168.10/32, but when I did this, the AP disconnected!

In the Network > Interfaces menu (which I believe is your screenshot), choose Add Bridge from the pull-down menu Add Interface. Maybe call it LAN_Bridge, and include Port1 and Port11 as members. Set its IP address as 192.168.166.1 (or whatever you want the LAN to be).

This "bridge" interface says those two ports are considered to be part of a single LAN, and you can include as many of your ports as you want and they'll all be on the same subnet. That provides the context in which your APX is doing the Bridge AP to LAN.

You're creating a unified subnet out of a collection of ports, and no routing is involved for one device on the subnet to talk with another. (There are settings for Guest Network kind of setups where each device is Isolated from all the other devices on the same network instead of the default of being able to see all the other devices. Be sure you haven't accidentally set Guest Network or Isolate Devices or whatever it's called.)

In the Network > Interfaces menu (which I believe is your screenshot), choose Add Bridge from the pull-down menu Add Interface. Maybe call it LAN_Bridge, and include Port1 and Port11 as members. Set its IP address as 192.168.166.1 (or whatever you want the LAN to be).

This "bridge" interface says those two ports are considered to be part of a single LAN, and you can include as many of your ports as you want and they'll all be on the same subnet. That provides the context in which your APX is doing the Bridge AP to LAN.

You're creating a unified subnet out of a collection of ports, and no routing is involved for one device on the subnet to talk with another. (There are settings for Guest Network kind of setups where each device is Isolated from all the other devices on the same network instead of the default of being able to see all the other devices. Be sure you haven't accidentally set Guest Network or Isolate Devices or whatever it's called.)