Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 29 subscribers
  • Views 60266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assign several VLANs to one Access Point

Peter Mueller

Hi,

 

let me first try to explain my current setup and the intention for having several vlans on one AP. I use Sophos XG Firewall as virtual appliance and a Sophos AP 100.

 

- I have one SSID (Access01) using "Bridge to AP LAN". Clients connected to this SSID can access all computers within my main network.

- I'd like to create a second SSID (Access02) to have a dedicated network for all kind of IOT Devices (Cams, Smart Home Control etc.). So I could easily create a SSID as "seperate zone" with internet access only. However some of these Devices are not wifi enabled, means they are plugged in via ethernet cable. So in order to integrate wifi as well as non-wifi devices into this a new network, I'd like to create a dedicated VLAN (VLAN50).

 

What I've done so far:

1. Create a DHCP Server using 192.168.50.1/24 with a Range of x.100 - x.200

2. Create a Vlan Interface (Vlan50) with static IP 192.168.50.10

3. Create a Wireless Network "IOT" "Bridge to Vlan" pointing to Vlan 50

So far everything seems to be correct. But now I try to assign this SSID "IOT" to my Access Point. This doesn't work either directly assigning it to the AP nor via adding it to my Access Point Group DefaultGroup. The error message is:

"The current VLAN tagging setting in Access Point group is not compatible with the wireless network in bridge mode to VLAN"

If I then enable Vlan Tagging with Vlan 50 on this AP I get the following message:

"The current VLAN tagging setting conflicts with Client Traffic option 'Bridge to AP LAN'."

 

So what does that actually means? Is it not possible to have Wireless Networks configured as "bridge to VLAN" AND "bridge to AP LAN" running on the same physical AP?

 

Is there any workaround or even a complete different approach in order to achieve my goal? Do I need to use a second AP where I can assign this VLAN to?

 

Best Regards,

Peter



This thread was automatically locked due to age.
  • 0

    Hi Peter,

    are you using a managed switch to achieve vlan isolation? 

    Ian

    I have a smart switch which has two plans. I have created two new SSIDs with one assigned to each clan as tagged in the SSID configuration. Only one clan appears on the switch port the AP is connected two. I will do some testing and report back.

  • 0 in reply to rfcat_vk

    Hi rfcat,

     

    yes, I do use a managed switch. What I have done so far, is purely related to the Firewall.

    Do you have non-vlan (bridge to AP LAN e.g.) on the same AP?

     

    br

  • 0 in reply to Peter Mueller

    I have 3 SSIDs on the AP that are bridged to LAN.

    Waiting for a software upgrade to complete before I can teethe WIFI access.

    Ian

  • 0 in reply to rfcat_vk

    let me clarify this.

    you have 3 ssid "bridge to AP LAN" plus 2 vlans running on the same AP?

    If so, how did you enable this in the wireless > access point settings without getting the error message mentioned above?

     

    br

  • 0 in reply to Peter Mueller

    Hi,

    my test setup did not work for a very simple reason I did not have extra VLANs enabled on my switch. I would ned to setup 2 more VLANs with the port the AP is connected to as tagged so the parameters can be passed to the AP.

    Let me play some more and see what happens.

     

    Ian

  • 0 in reply to rfcat_vk

    No, broke the same as your results. Need to have a second AP to use VLANs and set it up to use VLANs interface.

    I have a spare AP if you would like me to test this scenario for you?

    Ian

  • 0 in reply to rfcat_vk

    That would be great. 

     

    I think it's weird that a business-grade Hotspot like the AP100 is not capable of handling more than one VLAN. An offical statement from Sophos on that topic would be helpful.

     

    BR

  • 0 in reply to Peter Mueller

    Hi Peter,

    I will try tomorrow my time. One VLAN and not a bridge to lan connection, needs to be investigated. I have a 55C spare and a 50 if need be.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    1/. added an AP55c with VLAN tagging enabled to one of the new VLANs

    2/. created access point group with VLAN tagging enabled assigned to one of the new VLANs

    3/. created wifi SSIDs assigned to different plans and aded to access point groups

    4/. created DHCP servers for each vlan 

    5/. I suspect you will need to make sure that the switch port has an untagged access to your main network.

    6/. you cannot add a non VLAN SSID to the VLAN AP.

     

    I haven't setup any rules to test access beyond assigning an IP address from each VLAN DHCP server.

    Ian

    Update:- automatic channel assignment checking for interference does not work on the 5ghz band wireless. I have logged a fault during the beta and somewhere the normal forum about this issue. So far the issue has not been addressed by Sophos. Both AP55Cs are within 1 metre of each other and both using channel 132.

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    thanks for testing. 

    I can get my hands on an AP50. That means I could assign this AP to my Vlan plus setting up Vlan Ports on my managed switched and that way achieve my purpose having a seperated network with internet only access. Draw back of course, is the use of two APs. I'll test as soon as I received the AP50 and let you know my results.

     

    Regarding the channel selection, let us know what you figure out. Work around would be manual channel selection, of course.

     

    BR

    Peter