Sophos XG VLANS + Unifi

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

skierman81

New Member
Oct 15, 2016
1
0
1
43
Hello!
I'm having a problem that's a bit similar to some posts I've ready, but I think my issue is unique enough to start a separate thread.

I am using Sophos XG to serve as my primary firewall/gateway/DHCP server for my home network.
Sophos XG is running on a dual NIC box, port 1 is connected to my cable model, Port 2 on the Sophos unit is connected to Port 8 a Netgear GS108Ev1 managed switch.

A Ubiquiti Unifi AP is connected to Port 5 on that same Netgear switch.

Using Sophos UTM (which allows one to configure a VLAN with ID of 1), I had that as my main "internal" VLAN, and VLAN2 was created for the guest Wifi network. On the Netgear, Port 5 and Port 8 were setup as tagged or trunked ports for both VLANS, all others ports (which are in use) were left as untagged. With Sophos UTM, this worked. With Sophos XG, it does not appear to - in fact, as soon as I activate this VLAN configuration, no traffic seems to get processed by the Sophos box.

I setup a VLAN interface 2.1 on the XG box to be the Guest VLAN (2), setup a guest zone and gave it full access to the WAN under firewall rules, setup a DCHP server within Sophos to assign DHCP. The main LAN (port 2, no VLAN assignment) is setup to use 10.0.0.1/24, and the VLAN 2 was setup to use 10.0.2.1/24

On the Netgear switch, using 802.1Q VLAN, I have port 5 and 8 set to be tagged for VLAN 2, all ports untagged for VLAN 1. (This Netgear switch requires a VLAN ID 1)

Using this setup, when attempted to connect to the guest WLAN behind VLAN2, clients can not obtain an IP address.

Any thoughts or suggestions for how to make this work would be greatly appreciated; I've spent countless hours trying to get this to work!!
 

Dww0311

Member
May 19, 2017
49
7
8
57
Not to resurrect the dead, but:

Unifi is quirky with respect to operating with multiple VLANs on an AP. The native VLAN on your AP (i.e. the IP address of the AP itself) has to match the native VLAN on your switch / same VLAN that your controller is on, or else the controller will never adopt the AP.

The port itself has to operate in trunk mode, or else wireless clients will never obtain an IP address.

I'm not familiar with Netgear CLI, but just as an example, on a Cisco switch, the port would be configured as:


interface FastEthernet0/13

description Wireless Access Point 4

switchport trunk encapsulation dot1q

switchport trunk native vlan 50

switchport trunk allowed vlan 10,50,70

switchport mode trunk


Obviously you'd want to change that to match your VLAN topology. You can translate that to Netgear / other managed switch verbiage as required
 
Last edited:

wildchild

Active Member
Feb 4, 2014
389
57
28
Not to resurrect the dead, but:

Unifi is quirky with respect to operating with multiple VLANs on an AP. The native VLAN on your AP (i.e. the IP address of the AP itself) has to match the native VLAN on your switch / same VLAN that your controller is on, or else the controller will never adopt the AP.

The port itself has to operate in trunk mode, or else wireless clients will never obtain an IP address.

I'm not familiar with Netgear CLI, but just as an example, on a Cisco switch, the port would be configured as:


interface FastEthernet0/13

description Wireless Access Point 4

switchport trunk encapsulation dot1q

switchport trunk native vlan 50

switchport trunk allowed vlan 10,50,70

switchport mode trunk


Obviously you'd want to change that to match your VLAN topology. You can translate that to Netgear / other managed switch verbiage as required
Actually, this is rfc