Create VLAN for WiFi Access Points

I am using a different series of switches and APs (I use TP-Link) but I am having the exact same issue. Did you ever figure out the solution?

I have not. Another member offered assistance but I have not had the time available right now to invest in figuring this out. 

I have the exact setup with the same switch and WiFi AP and have the exact same problem. I recently moved from pfSense, where this was working. When I moved to Sophos XG, I didn't change any of the switch or AP configurations, so I suspect Sophos does not like how our switch tags traffic, however odd that is.  If I go back to pfSense or Untangle, it works fine. If you made any further progress, I'd appreciate any freedback.

Similar boat here. I'm a pfSense convert (or attempting to at least until I hit this) having issue with the VLAN setup functioning properly. Difference here is using Tomato Shibby firmware on an Asus RT-N66u in AP only mode.

Currently I have my Asus connected between the rest of the network and the XG, and it is also handling WiFi with 2 different split networks for LAN/Guest access. My XG/pfSense are both running virtualized. Yes, Trunk passthrough is enabled and configured properly on ESXi. Currently this is configured and working perfectly fine with pfSense, but when I switch the connections over to the XG VM, connectivity suddenly fails miserably. Nothing is working once switched, DHCP, DNS, Internet, ICMP. I can't ping the XG interface, only other devices on my current LAN network (behind XG) if I set my IP manually. 

Setup DHCP

Setup DNS

Configured VLAN 10/12 on Port 2 (LAN)

Setup Static IPs, enabled Interface IP as Gateway

Similar boat here. I'm a pfSense convert (or attempting to at least until I hit this) having issue with the VLAN setup functioning properly. Difference here is using Tomato Shibby firmware on an Asus RT-N66u in AP only mode.

Currently I have my Asus connected between the rest of the network and the XG, and it is also handling WiFi with 2 different split networks for LAN/Guest access. My XG/pfSense are both running virtualized. Yes, Trunk passthrough is enabled and configured properly on ESXi. Currently this is configured and working perfectly fine with pfSense, but when I switch the connections over to the XG VM, connectivity suddenly fails miserably. Nothing is working once switched, DHCP, DNS, Internet, ICMP. I can't ping the XG interface, only other devices on my current LAN network (behind XG) if I set my IP manually. 

Setup DHCP

Setup DNS

Configured VLAN 10/12 on Port 2 (LAN)

Setup Static IPs, enabled Interface IP as Gateway

I have the exact same problem and behavior using Sophos XG, a Unifi AP and a Netgear managed switch.

Has anyone been able to get this configuration to work?

I still haven't solved this, though I have changed hardware slightly from a TP-Link switch to a Netgear switch. I'm also going to be removing the Asus completely from the equation as I've picked up 2 Unifi UAP-AC's. I'm planning to setup and prepare this for my new house which we're moving to in the next month. Hopefully I'll get to actually start playing around and testing this out. I was out at BlackHat this year and met some of the senior guys who told me there were some issues they've seen/experienced with the VLAN functionalities in XG. Supposedly a new beta was going to solve some of those issues. So maybe look for the current beta to test out instead? 

Thanks Shawn - I'll keep an eye out for the beta.

In the meantime, I am thinking that maybe the problem lies in the fact that I'm trying to run my LAN port as, not sure if the terminology is correct here, but as a Physical Port + VLAN on the same "port" in the Interfaces page on XG. Maybe both network segments must be explicitly configured as VLANS?

I think that perhaps both networks need to be assigned as VLANS; 2 and 3 as an example. I've been trying to have the main port use VLAN 1 on my switch, but the minute I enable the VLAN tagging on the switch, everything effectively stops working! I'll give this a try and update the thread if that works.

Hello -

Anyone still interested in this thread, I've found the workaround -

The XG box does not support VLAN1; if your switch is setup to use a Default VLAN of 1, XG will not recognize it. I'm using a Netgear switch, and my VLANS are configured as 802.1Q.

I configured 2 VLANS for my physical port; VLAN 2 for my main network, and VLAN 3 for the guest wireless network.

On my switch, I set all ports as a PVID of 2

My switch is connected to my AP on Port 5, and to my XG on port 8; so port 8 is set to trunk for VLAN 2, and Port 5 and Port 8 Trunk for VLAN 3.

Both VLANs have their own unique subnets, and the Ubiquiti controller allows you to isolate subnets. Both VLANs have their own DHCP within Sophos.

All seems to work fine now; just have an 'unused' subnet on the physical port.

Hope this helps someone in some way.

Hi All,

I am using XG with 3 VLAN at home and I am not experiencing this issue. I have a Cisco Switch configured with 3 VLAN (1, 100, 200). The Cisco Port connected to XG is configured as show:

interface FastEthernet0/11
 description XG_LAN
 switchport trunk allowed vlan 1,100,200
 switchport mode trunk
 duplex full
 speed 100
 spanning-tree portfast

On XG I have 3 zones and 3 interfaces on one physical port.

See the screenshot:

Then I have all the needed policy rules configured. On the VLAN 100,200 I have VMs running on an ESXi.

Hope this help!

Also:

XG does support only VLAN 1 on the physical port and you cannot change it. Hope they will remove this limitation. If you need another VLAN on the physical port, you have to create VLAN.

 - that's an interesting point. Perhaps I wasn't setting this up in the "expected" fashion and this is why I was no longer able to communicate on that port. I was leaving it on a virtual nic that was in a port group with NO VLAN. So once I flipped the VLAN setups on and switched the connections to the appropriate VLAN's, I couldn't communicate on the non-VLAN virtual NIC I had connected. I did notice I could reach the IP from the VLAN side though it seemed. That would also explain why I'm in need of an IP on the physical port when I'm only planning to use VLAN's as it is expecting that I'm going to have management on VLAN1 - in my case that is not true as I'm not using mgmt VLAN since all other traffic is running either on the VLAN it should, or is managed through the virtual setup, aka the only place I NEED the mgmt VLAN is inside the virtual infrastructure. 

I think this might put me in the right direction to better configure and set this up as planned originally. I just need to account for a mgmt VLAN network that I might not actually be using, and once I do, I can hopefully get connected. 

ShawnMix,

the VLAN 1 is something needed on XG at the moment. In fact when you configure the physical port, it requires an IP address and VLAN ID cannot be changed. Hope to see improvements into v17. I have a customer that does not use VLAN 1 at all and leaving an interface with IP on VLAN 1 is not secure (must be disabled in some environment).

Let's see!

Hi lferrara,

if I understood you right then Port 1 (LAN - Physical) is VLAN1 by default.

Can I also use it tagged by default (config my switch port to VLAN1 tagged and

everything keeps working as before - while other ports of switch are VLAN1 untagged)?

Thanks for your help in advance,

Markus

PS.: This way I could config my switch-port connect to firewall to tagged and add the other vlans later :-P

Markus,

Switched by default tags vlan 1. Anyway check your switch configuration. I always prefer to add a vlan on XG physical port and tag that one.

Regards