Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 29 subscribers
  • Views 60272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assign several VLANs to one Access Point

Peter Mueller

Hi,

 

let me first try to explain my current setup and the intention for having several vlans on one AP. I use Sophos XG Firewall as virtual appliance and a Sophos AP 100.

 

- I have one SSID (Access01) using "Bridge to AP LAN". Clients connected to this SSID can access all computers within my main network.

- I'd like to create a second SSID (Access02) to have a dedicated network for all kind of IOT Devices (Cams, Smart Home Control etc.). So I could easily create a SSID as "seperate zone" with internet access only. However some of these Devices are not wifi enabled, means they are plugged in via ethernet cable. So in order to integrate wifi as well as non-wifi devices into this a new network, I'd like to create a dedicated VLAN (VLAN50).

 

What I've done so far:

1. Create a DHCP Server using 192.168.50.1/24 with a Range of x.100 - x.200

2. Create a Vlan Interface (Vlan50) with static IP 192.168.50.10

3. Create a Wireless Network "IOT" "Bridge to Vlan" pointing to Vlan 50

So far everything seems to be correct. But now I try to assign this SSID "IOT" to my Access Point. This doesn't work either directly assigning it to the AP nor via adding it to my Access Point Group DefaultGroup. The error message is:

"The current VLAN tagging setting in Access Point group is not compatible with the wireless network in bridge mode to VLAN"

If I then enable Vlan Tagging with Vlan 50 on this AP I get the following message:

"The current VLAN tagging setting conflicts with Client Traffic option 'Bridge to AP LAN'."

 

So what does that actually means? Is it not possible to have Wireless Networks configured as "bridge to VLAN" AND "bridge to AP LAN" running on the same physical AP?

 

Is there any workaround or even a complete different approach in order to achieve my goal? Do I need to use a second AP where I can assign this VLAN to?

 

Best Regards,

Peter



This thread was automatically locked due to age.
Parents
  • 0

    Hi Peter,

    i had the same issues on some Customer Projekts -

    what you describe was a common setup with UTM Wireless Protection to have some Traffic untagged / Bridged to AP Management LAN and to have other Traffic / SSID moving into tagged VLAN.

    Unfortunately this is currently not possible with XG Firewall - it is just the Web Frontend which doesn't allow the Accesspoint should be able to handle this Traffic cause it is the same Firmware as with UTM.

     

    As Workaround to use tagged vlan you could make that switchport Hybrid (mix tagged and untagged) you'll have an "one time Use" network untaged on that accesspoint, this network will only be needed for the accesspoint to initialy connect and to download its configuration from the XG Firewall. in the AP Configuration you'll need to tell that AP which VLAN to use for further Management. Than you can bind tagged SSIDs to that Accesspoint.

     

    1. Onetime Use Management VLAN Untagged

    2. Constant Management VLAN Tagged

    3. User SSID (can be tagged in Management VLAN)

    4. User SSID (tagged in different User VLAN)

    all of these Network would need a running DHCP Server.

     

     

    Yours Lukas

  • 0 in reply to lna

    Hey Lukas,

     

    thanks for clarification. 

    I connected a second Access Point - AP50 to use for this VLAN only. I'm now running into another issue. My Linksys managed switch is set up this way:

    - GE1 is connected to the PortB of XG Firewall. This is port is facing towards the internal LAN and this is also the port assigned to the VLan Interface - PortB.10

    - GE8 is where the AP50 is connected to.

    - Port 1-4 are ports of the regular LAN

    - Port 5-8 are supposed to be the ports for VLAN10 only. 

     

    I configured a DHCP Server for the Interface "Port B VLAN10 - 192.168.55.1" with a DHCP Range of 55.100 to 55.200

    However none of the devices on port 5-8 can obtain an address from the DHCP Server.

     

    Is the configuration correct? Do I need specific firewall rules to have the devices connected to port 5-8 obtain an IP address from the 192.168.55.0/24 network?

     

    Greetz

    Peter

  • 0 in reply to Peter Mueller

    Hi Peter,

    you don't need any Firewall Rules to obtain Adresses by an XG Hosted DHCP Server.

    i can't tell if your Configuration is correct please share a screenshot of your Internal Interfaces PortB and PortB.10 (overview should be enough) and one screenshot of the DHCP Summary Page.

     

    Yours Lukas

Reply
  • 0 in reply to Peter Mueller

    Hi Peter,

    you don't need any Firewall Rules to obtain Adresses by an XG Hosted DHCP Server.

    i can't tell if your Configuration is correct please share a screenshot of your Internal Interfaces PortB and PortB.10 (overview should be enough) and one screenshot of the DHCP Summary Page.

     

    Yours Lukas

Children
  • 0 in reply to lna

    alright, that was what I assumed regarding the firewall rules.

     

    here are screenshots

    Interfaces:

     

    DHCP Servers:

    Zones:

     

    BR

  • 0 in reply to Peter Mueller

    Hi Peter,

    Thaks for your Screenshots.

    everything looks perfectly ok.

    maybe it is related with your switches vlan configuration it looked ok but i am not familar to linksys Web UI.

    please connect a pc to an vlan 10 access port, assign that pc manually an IP from that 192.168.55.0/24 Segment and try to ping the XGs ip 192.168.55.1.

     

    Yours Lukas

  • 0 in reply to lna

    I did and there is no response from 192.168.55.1

     

    BR

  • 0 in reply to Peter Mueller

    alright, I did some further testing.

     

    I configured the NIC of Laptop 1 for VLAN10 (by using the Intel Advanced Network Services) and have a Laptop 2 for testing purposes. Port settings on switch are the same as on the picture above.

    - Laptop 1 (192.168.55.50 - VLAN10) on Trunk Port GE1 (VLAN1 untagged, VLAN10 tagged) <-> Laptop 2 (192.168.55.60) on Access Port GE5 (VLAN10 untagged)

    = both Laptops can ping each other

    - Laptop 1 (192.168.55.50 - VLAN10) directly connected to Port B of XG Firewall. 

    = ping fails

     

    That sounds to me like the issue is with the XG Firewall settings somehow, since the switch trunk does work and transports VLAN10 packets. Are you sure, that there is no Firewall rule needed to have the internal XG DHCP Server communicate with connected devices via PortB.10? If so, what else is misconfigured?

     

    Best Regards,

    Peter

  • 0 in reply to Peter Mueller

    ok, I figured out what the issue was.

    The XP Firewall runs as a virtual appliance on ESXI. Here I missed to setup the NIC in ESXI to accept all Vlan instead of none. [:$]

    Now the clients get their respective DHCP addresses and after setting up a "IOT_VLAN10:NETWORK_192.168.55.0 to WAN any" firewall rule, they also got internet access.

     

    Back to the initial topic:

    - I plugged in the second Sophos AP to to Port 8 on the switch.

    - The Access Point is configured for VLAN tagging on VLAN10.

    - The SSID is set to Bridge to Vlan 10

     

    In order to make this setup work I had to switch GE to trunking on VLAN10 tagged and VLAN1 untagged. Access Port on Vlan10 only doesn't work. This way the AP is still shown as active in the XG webinterface but clients don't get an IP address. Is this a desired behaviour or are there other options to configure this AP?

     

    Best

    Peter