VLAN tagging requirements
You can assign an access point to a wireless network only if the client traffic option of the wireless network and the VLAN tagging option of the access point are compatible.
To introduce the usage of VLAN for your access points in your network, do as follows:
- Connect the AP to Sophos Firewall using standard LAN for at least a minute. This is necessary for the AP to get its configuration. If you connect the AP through a VLAN from the beginning, it won't know it's in a VLAN and can't connect to Sophos Firewall to get its configuration.
- When the AP appears in the list of available access points, turn on VLAN tagging and enter the VLAN ID.
- Then connect the AP to its intended VLAN.
- Make sure that the VLAN interface is added is added to the allowed zone under Wireless settings > Allowed zone.
When there is a switch between the AP and Sophos Firewall, you must connect the AP to a trunk port on the switch.
When VLAN tagging is configured, the AP tries DHCP on the configured VLAN for 60 seconds. If it doesn't receive an IP address during that time, the AP tries DHCP on the regular LAN as a fallback.
Wireless network configuration
- For wireless networks configured as a separate zone, VLAN tagging of the access point can be turned on or off.
- For wireless networks configured as a bridge to an access point VLAN, VLAN tagging of the access point must be turned off.
- For wireless networks configured as a bridge to a VLAN, VLAN tagging of the access point must be turned on. The wireless clients will use the bridge to VLAN ID specified for the wireless network, or they will receive their VLAN ID from the RADIUS server, if specified.
- When you create a bridge to VLAN network, the VLAN interface and the corresponding firewall rules are created automatically and transparently.
Don't configure separate zone and VLAN wireless networks for the same AP. If you have a VLAN in place for your main network, use a VLAN for your guest network.
- When setting up VLANs in your environment, we recommend separating user and management traffic into different VLAN subnets.
- After the AP has been accepted on Sophos Firewall, you must configure the AP to use the VLAN for management traffic.