Create VLAN for WiFi Access Points

:) I actually set my network up this week with the same hardware as you. This is how I did it set the vlans on the utm and the switch is layer 2 mode on the trunk connection between the utm and switch, add vlan 2 as tagged Then on the port the utm is connected to add vlan 2as tagged, I left the infrastructure vlan as Untagged Make sure on the utm you add vlan 2 to dhcp, firewall rules nat, dns. Connect the unifi AP, it gets an ip assigned from the infrastructure as its untagged Then connect a laptop to the infrastructure network, load up the unifi Controller, adopt the AP From the unifi Controller add the betwork ssid and under advanced use the vlan tag option I got all my aps managed on the infrastructure vlan, and any broadcasted ssid via a tagged vlan

In case anyone stumbles across this thread looking for specific directions, I set up a guest wifi VLAN using a TP-LINK EAP245 access point, a TP-LINK TL-SG105E Easy Smart switch (both support VLANs), and a Sophos XG running on a QNAP TS-251 VM in Virtualization Station.

TP-LINK EAP245 access point, running firmware 1.4.0 Build 20180323 Rel. 32551(5553):

1. Configure SSIDs with VLANs. As some earlier posters noted, it's best to configure all SSIDs with VLANs rather than leaving some SSIDs untagged. Wireless -> Wireless Settings -> 2.4 GHz or 5 GHz -> Add (or modify existing) SSID, "Wireless VLAN ID" input textbox

TP-LINK TL-SG105E v3 switch, running firmware 1.0.0 Build 20171214 Rel.70092:

2. Using 802.1q VLAN configuration, tag all VLANs on the port where the AP is connected, and also the port where the Sophos XG is connected. VLAN -> 802.1Q VLAN -> Enable -> Apply button

3. Enter "VLAN ID" in the input textbox (should match VLAN ID in step 1 above), select "Tagged" for ports where AP and Sophos XG are connected, Add / Modify button.

4. I left all the PVID settings to 1 by default. Again, I tagged all the different SSIDs with VLAN IDs rather than have any untagged traffic coming from the AP.

Sophos XG, running SFOS 17.1.1 MR-1 - create VLAN interfaces

5. Create VLAN interfaces on the LAN port where the wireless traffic will be coming from. I just added all of the VLAN interfaces to the LAN zone (rather than creating new zones for each VLAN). Network -> Interfaces -> Add Interface -> Add VLAN

6. I assigned all the VLAN interfaces to the "LAN" zone

7. IP assignment - give it a static IP address, like 192.168.100.1/24 -> Save

Sophos XG - create DHCP scopes

8. Create a DHCP "server" for each VLAN. Network -> DHCP -> Server section -> Add

9. Choose the VLAN interface you created in step 5-7 above

10. Enter the DHCP IP range - should be in the same network as the VLAN interface static IP you created in step 7 above, like 192.168.100.2 - 192.168.100.20. Tip - do NOT create a wifi VLAN / DHCP server in the same network as your Sophos XG internal static IP address (ie, if you create a VLAN interface at 192.168.100.1 and a DHCP server in the 192.168.100.0/24 network, make sure your Sophos XG LAN interface port is NOT on that same 192.168.100.0/24 network). I did that at first, and my clients would only connect for a second and then immediately disconnect.

11. I used a subnet mask of /24 (255.255.255.0) for each DHCP server. I avoided creating DHCP servers with overlapping networks based on their subnet mask, even if the DHCP IP ranges themselves were not overlapping. Tip - make sure you don't have any static IP assignments in the wrong DHCP scope (ie - you used to connect everything to the "home" wifi network and had DHCP reservations there, but connecting an existing device to your new "guest" wifi network won't work if that device still has a reservation in the "home" network).

12. For the DNS settings, if you're using a local DNS server on the LAN, you'll need to create a firewall rule to allow traffic from the guest wifi network to the DNS server (assuming you block all other traffic).

Sophos XG - create IP network object

13. Hosts and Services -> IP Host -> Add

14. I added the Guest Wifi it as a network, ie 192.168.100.0/24

Sophos XG - create firewall rules

15. I created several firewall rules, but you may not need all of them.

a. Rule allowing traffic from LAN zone, Guest Wifi network, to LAN zone, DNS server

b. Rule allowing traffic from LAN zone, Guest Wifi network, to LAN zone, wireless access point (the TP-Link EAP245 has the ability to serve a portal login page, so the clients need to be able to access the TP-Link EAP245). Also, before rule (c) below, add any other rules here where you want devices on the Guest Wifi network to be able to access other devices or networks in your LAN zone.

c. Rule blocking traffic from LAN zone, Guest Wifi network, to LAN zone, other specific networks (like your Home wifi network, your wired network, etc.)

d. Rule allowing traffic from LAN zone, Guest Wifi network, to WAN zone, Any host. My setup required checking the box to NAT / rewrite the source address, select a MASQ outbound address, and select WAN Link Load Balance as the Primary Gateway. Also apply any scanning and policy options desired.

Other things I did:

16. In addition to the Guest and Home wifi networks / VLANs, I also set up a separate wifi network / VLAN for Internet of Things (IoT) devices like media streaming devices, smart TVs, etc.

17. In order to be able to discover and control the IoT devices from the Home wifi network, I set up an old laptop with Ubuntu and connected the wired interface to the TP-Link TL-SG105E switch on the Home VLAN (tagged the port on the switch). Configured VLAN on the laptop - see https://wiki.ubuntu.com/vlan and https://unix.stackexchange.com/questions/335135/ubuntu-16-04-not-getting-dhcp-lease . Then connected the laptop wifi to the IoT wifi network. This connects the laptop to both the IoT network and the Home wifi network, allowing it to forward multicast across VLANs. I installed and ran avahi-daemon to do that - see comments at the bottom of https://medium.com/beyond-the-helpdesk/chromecast-in-95-rooms-835d1f0bd040

Hope this helps. All the documentation / forum posts I researched gave general guidance, but lacked a lot of specifics.

In case anyone stumbles across this thread looking for specific directions, I set up a guest wifi VLAN using a TP-LINK EAP245 access point, a TP-LINK TL-SG105E Easy Smart switch (both support VLANs), and a Sophos XG running on a QNAP TS-251 VM in Virtualization Station.

TP-LINK EAP245 access point, running firmware 1.4.0 Build 20180323 Rel. 32551(5553):

1. Configure SSIDs with VLANs. As some earlier posters noted, it's best to configure all SSIDs with VLANs rather than leaving some SSIDs untagged. Wireless -> Wireless Settings -> 2.4 GHz or 5 GHz -> Add (or modify existing) SSID, "Wireless VLAN ID" input textbox

TP-LINK TL-SG105E v3 switch, running firmware 1.0.0 Build 20171214 Rel.70092:

2. Using 802.1q VLAN configuration, tag all VLANs on the port where the AP is connected, and also the port where the Sophos XG is connected. VLAN -> 802.1Q VLAN -> Enable -> Apply button

3. Enter "VLAN ID" in the input textbox (should match VLAN ID in step 1 above), select "Tagged" for ports where AP and Sophos XG are connected, Add / Modify button.

4. I left all the PVID settings to 1 by default. Again, I tagged all the different SSIDs with VLAN IDs rather than have any untagged traffic coming from the AP.

Sophos XG, running SFOS 17.1.1 MR-1 - create VLAN interfaces

5. Create VLAN interfaces on the LAN port where the wireless traffic will be coming from. I just added all of the VLAN interfaces to the LAN zone (rather than creating new zones for each VLAN). Network -> Interfaces -> Add Interface -> Add VLAN

6. I assigned all the VLAN interfaces to the "LAN" zone

7. IP assignment - give it a static IP address, like 192.168.100.1/24 -> Save

Sophos XG - create DHCP scopes

8. Create a DHCP "server" for each VLAN. Network -> DHCP -> Server section -> Add

9. Choose the VLAN interface you created in step 5-7 above

10. Enter the DHCP IP range - should be in the same network as the VLAN interface static IP you created in step 7 above, like 192.168.100.2 - 192.168.100.20. Tip - do NOT create a wifi VLAN / DHCP server in the same network as your Sophos XG internal static IP address (ie, if you create a VLAN interface at 192.168.100.1 and a DHCP server in the 192.168.100.0/24 network, make sure your Sophos XG LAN interface port is NOT on that same 192.168.100.0/24 network). I did that at first, and my clients would only connect for a second and then immediately disconnect.

11. I used a subnet mask of /24 (255.255.255.0) for each DHCP server. I avoided creating DHCP servers with overlapping networks based on their subnet mask, even if the DHCP IP ranges themselves were not overlapping. Tip - make sure you don't have any static IP assignments in the wrong DHCP scope (ie - you used to connect everything to the "home" wifi network and had DHCP reservations there, but connecting an existing device to your new "guest" wifi network won't work if that device still has a reservation in the "home" network).

12. For the DNS settings, if you're using a local DNS server on the LAN, you'll need to create a firewall rule to allow traffic from the guest wifi network to the DNS server (assuming you block all other traffic).

Sophos XG - create IP network object

13. Hosts and Services -> IP Host -> Add

14. I added the Guest Wifi it as a network, ie 192.168.100.0/24

Sophos XG - create firewall rules

15. I created several firewall rules, but you may not need all of them.

a. Rule allowing traffic from LAN zone, Guest Wifi network, to LAN zone, DNS server

b. Rule allowing traffic from LAN zone, Guest Wifi network, to LAN zone, wireless access point (the TP-Link EAP245 has the ability to serve a portal login page, so the clients need to be able to access the TP-Link EAP245). Also, before rule (c) below, add any other rules here where you want devices on the Guest Wifi network to be able to access other devices or networks in your LAN zone.

c. Rule blocking traffic from LAN zone, Guest Wifi network, to LAN zone, other specific networks (like your Home wifi network, your wired network, etc.)

d. Rule allowing traffic from LAN zone, Guest Wifi network, to WAN zone, Any host. My setup required checking the box to NAT / rewrite the source address, select a MASQ outbound address, and select WAN Link Load Balance as the Primary Gateway. Also apply any scanning and policy options desired.

Other things I did:

16. In addition to the Guest and Home wifi networks / VLANs, I also set up a separate wifi network / VLAN for Internet of Things (IoT) devices like media streaming devices, smart TVs, etc.

17. In order to be able to discover and control the IoT devices from the Home wifi network, I set up an old laptop with Ubuntu and connected the wired interface to the TP-Link TL-SG105E switch on the Home VLAN (tagged the port on the switch). Configured VLAN on the laptop - see https://wiki.ubuntu.com/vlan and https://unix.stackexchange.com/questions/335135/ubuntu-16-04-not-getting-dhcp-lease . Then connected the laptop wifi to the IoT wifi network. This connects the laptop to both the IoT network and the Home wifi network, allowing it to forward multicast across VLANs. I installed and ran avahi-daemon to do that - see comments at the bottom of https://medium.com/beyond-the-helpdesk/chromecast-in-95-rooms-835d1f0bd040

Hope this helps. All the documentation / forum posts I researched gave general guidance, but lacked a lot of specifics.