Sophos Xg Access Point

01-05-2021 by



Models

Today, I’d like to share a short Networking video that covers the basics of setting up wireless networking on a W model XG Series appliance with integrated wireless access point. You can see the status of your wireless access points in the Network Security Control Center. Sophos APX Series access points are now supported on every platform: Sophos Central, XG Firewall, and Sophos SG UTM (from v9.7). With our latest generation of access points, you can offer an attractive replacement for every one of our legacy AP Series indoor models.

  1. Connect the Access Point to XG Firewall. Connect the Sophos access point to get the IP Address leased by the DHCP server running on the back office appliance and you will get the DHCP option (configured in step 3). Since traffic flows to and from the VPN and LAN zone, create two network firewall rules to make it work.
  2. I needed better wifi coverage in my rooms so I picked this up on eBay new for $30 shipped. Sophos access points are lightweight and they are controlled from.

When friends and family are visiting and require wifi access, we typically give them complete access to our network by providing the password to our wireless access point. While most friends and especially family wouldn’t be doing anything malicious on our network, the bigger concern is the devices they’re using to connect to the network could potentially be infected with viruses or malware, possibly spreading to other devices on our network. In most cases, guests simply need internet access and an easy way to allow this while keeping them isolated from the rest of your network is by creating a separate guest network.

If your wireless access point supports creating multiple wireless networks or has a guest network feature, you can use VLANs to isolate the guest network from your private network which I explain in this post. The steps below will explain how to setup a guest wireless network using a separate wireless access point, which in this case is using an Apple Airport Express.

1. Setup the device you’ll be using as a second wireless access point for guest users. Setup the wireless settings as desired (i.e. create a different SSID and password from your main wireless network). Also change the mode of your device to ‘Bridge Mode’. For Apple devices, this is located in the Airport Utility under the ‘Network’ tab -> ‘Router Mode’ -> ‘Off (Bridge Mode)’.

2. Plug in your guest wireless access point to an open ethernet port on your Sophos XG device.

3. From the Sophos XG web user interface, we’ll first need to setup the new interface by accessing the ‘Interfaces’ tab on the ‘Network’ page and select the port you plugged the guest wireless access point into. Configure the following settings: Final fantasy 7 steam free download.

  • Network Zone: Specify the zone this new interface will be. For this example, choose ‘LAN’.
  • IPv4 Configuration: This should be checked.
  • IP Assignment: Select ‘Static’ since we will define the IP address for this interface.
  • IPv4/Netmask: Enter an IP address for this interface that is in a different subnet than the interface for your main network. For example, if your main network interface has an IP of 172.16.16.16 (Sophos XG default), something such as ‘172.16.17.17’ will work. Leave the netmask defaulted to ’24/255.255.255.0′.
  • Leave ‘IPv6 Configuration’ unchecked unless you obviously need IPv6 for your network.
  • The advanced settings can be left to their default settings. Click ‘Save’ at the bottom.

4. Next, create an IP Host for the guest subnet to be used for a firewall rule. Access the ‘IP Host’ tab on the ‘Host and Services’ page and click ‘Add’. Configure the following settings:

  • Name: Type in a name such as ‘Guest Subnet’.
  • IP Address: Type in the IP address for this guest network such as ‘172.16.17.0’ and leave the default subnet to ‘/24 (255.255.255.0)’.
  • IP Host Group: This allows you to add this IP Host to an IP Host Group but for this example, leave it blank. Click ‘Save’ at the bottom.

5. Create a DHCP server for your guest network by accessing the ‘DHCP’ tab on the ‘Network’ page. Under the ‘Server’ section, click ‘Add’ and configure the following settings:

  • Name: Provide a name such as ‘Guest DHCP’.
  • Interface: Select the port your guest wireless access point is connected to.
  • Start IP: Enter the starting IP address for the range that will be available for assignment to users on the guest network. For example, ‘172.16.17.18’
  • End IP: Enter the ending IP address. For example, “172.16.17.254′.
  • Subnet Mask: Leave the default of ‘/24 (255.255.255.0)’.
  • Domain Name: This can be left blank.
  • Gateway: Leave the default ‘Use Interface IP as Gateway’ checked.
  • Default Lease Time/Max Lease Time: Leave the default values.
  • Conflict Detection: Enable this so clients aren’t being assigned the same IP address.

6. Create a firewall rule that will allow users on the guest network to access the internet. Access the ‘Firewall’ page and click ‘Add Firewall Rule’ -> ‘User/Network Rule’. If you’re unfamiliar with the firewall rule settings, see my previous guide on firewall rules. Configure the following settings:

  • Rule Name: Provide a name such as ‘Guest Network’.
  • Description: Provide a description as desired.
  • Action: Accept
  • Source Zone: Select ‘LAN’ since this is the zone we added the guest interface to.
  • Source Networks and Devices: Select the IP Host we created in step 4, ‘Guest Subnet’.
  • During Scheduled Time: Set this as desired but for this example, we’ll leave it set to ‘All the Time’.
  • Destination Zone: Select ‘WAN’ since we want users to be able to access our ISP modem/internet.
  • Destination Networks: Select ‘Any’ since we don’t know exactly what protocols and/or ports our guest users will be utilizing.
  • Configure the rest of the settings as desired and click ‘Save’ at the bottom.
Sophos xg access point inactiveAccess

7. You should now be able to connect to your guest network and have full access to the internet. Of note, you can still access your Sophos XG web user interface from this guest network since the interface falls under the ‘LAN’ zone. See my other post on completely isolating the guest and local networks.

Sophos Xg Access Point Restart

(Optional) If desired, you can limit the bandwidth available for your guest users by creating a Traffic Shaping Policy for the firewall rule we just created. You can create a new policy from the firewall rule page itself by clicking the ‘Traffic Shaping Policy’ drop down and click ‘Create new’. This page can also be accessed on the ‘Traffic Shaping’ tab on the ‘System Services’ page. Configure the following settings:

  • Name: Provide a name such as ‘Guest Rule’.
  • Policy Association: Select ‘Rule’ since this will be applied to a firewall rule.
  • Rule Type: Select ‘Limit’ as the goal is to limit the available bandwidth to guest users.
  • Limit Upload/Download Separately: As the name implies, you can set a limit on the limit and download bandwidth throughput separately. For this example, select ‘Enable’.
  • Priority: This settings allows you to define priorities such that if you have multiple traffic shaping policies, Sophos XG will know how to prioritize the various connections. For this example, select ‘3 – (Normal)’ as our guest users just need basic internet access.
  • Upload Bandwidth: Specify the maximum upload speed in KBps (not to be confused with Kbps). Search for ‘Mbps to KBps’ using google to convert Mbps which is most commonly for bandwidth speeds to KBps. For example, if I want to limit my guest users upload to 10 Mbps, enter ‘1250’ into this field.
  • Download Bandwidth: Same as above except for the download speed. For example, if I want to limit guest users to a download of 100 Mbps, enter ‘12500’ into this field.
  • Bandwidth Usage Type: Leave ‘Individual’ selected as this policy will apply to the entire guest firewall rule. Click ‘Save’ at the bottom.

Sophos Xg Models

Make sure to assign this new Traffic Shaping Policy to your guest firewall rule.





Particulars
Gaogaigar Final

Comments are closed.