Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 12284 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Get wifi ipad user connected to Sophos AP to connect to Internet (WAN port 2)?

LearningSophos

I've got the XG 85 running and would like to have wifi users (phones, ipads, etc) to be able to connect to either GuestAP or Sophos access points and be able to get to the internet (e.g., Port 2 WAN).  This is to allow the user to surf to www.sophos.com, for example, without getting a timeout on their device.  Unfortunately, I can get devices to connect to the both the GuestAP and Sophos AP's with the passphrases, WPA2 Personal but that is about it.  Examining the Sophos AP shows that it has "Bridge to AP LAN" (there is no WAN option anywhere I can find).  That seems to be handy but I have no option to "forward" the user to the WAN (Port 2) so they can actually get to the Internet.  When the user is connected on their device (such as "Sophos") it shows zero signal strength bars which is odd because they are standing right next to the firewall (I have not yet tried to have them hug the firewall antenna to see if that would improve things).  Seems like it should be rather simple to do but I don't see it.

I've changed nothing with the wireless settings since I see nothing anywhere that gives me even the slightest clue as to allow a wifi user to connect (such as through "Sophos" or "GuestAP") ultimately to the internet via the XG firewall...the WAN/Port 2. How can I get the firewall to complete such a task since the users can get connected to wifi but they can't seem to do anything once connected?



This thread was automatically locked due to age.
  • 0

    Just to clear things up, I have the Sophos XG 85W Wireless Firewall, NOT the regular Sophos XG 85W Firewall (which does not have wireless).

  • 0 in reply to LearningSophos

    LearningSophos,

    on XG you wont find a bridge interface when you have "AP bridge to LAN", even if you have an external Sophos AP.

    Make sure to create a firewall rule from LAN to WAN and change WPA2 to something else (even no password) temporary to understand if your users can connect.

    If no one can connect through the Wi-FI, may your XG85W is faulty.

    Regards

  • 0 in reply to lferrara

    Thanks for the information!  I do have a firewall rule from LAN to WAN in place (the default one, until I'm to a point where everything is working okay). That one seems to indicate that the LAN to WAN is setup (regular hardwired users - such as computers - are able to get to the Internet).  The wireless section is showing connected users to "Sophos" as well, but no Internet connectivity in their devices.  Please see the compilation screenshot below.

     

    My question is, is there some other type of LAN to WAN rule that has to be setup on the firewall for wifi users?

  • 0 in reply to LearningSophos

    After additional analysis I was able to answer the question "My question is, is there some other type of LAN to WAN rule that has to be setup on the firewall for wifi users?".

    The answer is yes.  The firewall rule to create is between wifi and WAN with (in this case) MASQ and a pointer to the gateway (Port 2/WAN).  This allows wifi users to connect to the XG Wireless Firewall and get to the Internet.

    One additional thing was done to reduce the users who may join the wifi network by "pre-approving" them via their MAC address.  This was accomplished by creating a MAC list and, after creation, adding that MAC list to the available wifi network.  See the screenshot compilation below.

  • 0 in reply to LearningSophos

    Thanks for sharing it.

    So the AP belongs to wi-fI zone.

    Maybe this is something necessary for wi-fI built-in models. I have Sophos AP and the source zone is LAN (it depends on which zone you add the AP ).

  • 0 in reply to lferrara

    Hi ,

    Could you post the logs as per the command 

    under option 5-3 you may initiate a shell access and tail /log/wc_remote.log  -n 200 after connecting to the device to Sophos AP. 

    You may also try to open a website via a public address and check the traffic flow as per the packet capture. 

    on console option 4 > tcpdump 'host <Website address> and port <80 or 443>

    Check the traffic if it is sent out through the WAN port and if the traffic came through any ports at all. 

    This would help isolate the issue you were experiencing.