I just replaced our old Apple "AirPorts" with Sophos AP 100C access points. When I enabled Wireless Protection I did the following:
- Enabled Wireless Protection with "Internal" as the allowed interface.
- Created a matching wireless network, Bridged to the AP LAN, which is our internal network, the same LAN where the access points are connected.
- Activated the access points, set the 2.4 and 5 Ghz channels to match the Apple access points they replaced to minimize interference with each other and nearby unrelated "neighbor" access points.
At this point, we have the equivalent of our previous wireless network. For a laptop;, using the WiFi is functionally equivalent to an Ethernet connection on the internal LAN.
The next steps are to add two new SSIDs (wireless networks): one for Guests and one for wireless appliances (e.g., the kitchen oven, the TV sets, etc.). Those wireless networks must be blocked from seeing or knowing about the LAN, but should still be able to connect to the internet through the firewall. I assume that I must create two new DHCP servers for the two new networks.
QUESTION: 
-> How do I choose between "Separate Zone" AND "Bridge to VLAN"? 
There is a warning about MTU being reduced if Separate Zone is chosen. Otherwise, I am trying to understand the difference and the implication of choosing one over the other.
Please share your experience and advice regarding the best way to setup these Guest and Appliance wireless networks, isolated from the LAN. It will be most appreciated.
P.S. The access points are connected to the UTM via unmanaged switches. Each access point is connected to a small unmanaged switch, to share the single Ethernet jack with other devices in the room. The Ethernet cables from the rooms all join together in my office closet at a larger unmanaged switch, which is connected to the LAN port on the UTM.
This thread was automatically locked due to age.
 
				 
		 
					 
							 
				