Add a wireless network
- Go to Wireless > Wireless networks and click Add.
Enter a name. You can change this name later.
Maximum number of characters: 58
The subsystems will show the customizable name and not the hardware name of the interface.
Enter a hardware name for the interface. You can't change this name later.
Maximum number of characters: 10
Allowed characters: (A-Za-z0-9_)
Enter the Service Set Identifier (SSID).
The SSID is a unique identifier attached to the header of packets sent over a wireless local-area network. It identifies the wireless network to users. The SSID can consist of 1-32 ASCII printable characters.
Select a security mode.
We recommend you select WPA2. The firewall supports IEEE 802.11r on networks that are secured with WPA2.
When using enterprise authentication, you must also configure a RADIUS server. Use the wireless network name as the NAS ID.
From the Client traffic list, select the method for integrating traffic on the wireless network into your local network.
Option Description Separate zone The wireless network is handled as a separate network with the specified IP address range. Use this option to configure firewall rules for the specified SSIDs.When you create a network as a separate zone, the firewall creates a corresponding VXLAN tunnel. To assign an address and gateway to clients, create a DHCP server for the interface.
VXLAN is a virtual tunnel that encapsulates layer 2 Ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:
- Use Bridge to AP LAN or Bridge to VLAN.
- If you must use a separate zone, lower the MTU value on users' endpoint devices.
Bridge to AP LAN The wireless network is bridged into the network of the selected access point. Clients share the IP address range of the access point. When you add a network of this type to an access point, the firewall creates a corresponding interface. To deploy the network in bridge mode, create a bridge interface. To deploy the network in gateway mode, specify a zone and IP address, and create a DHCP server. Bridge to VLAN The wireless network is bridged into a VLAN. Use this method when you want access points to be in a common network that is separate from the wireless clients. When using enterprise authentication, you can specify how the client VLAN ID is defined. When you select Static, the access point always uses the bridge to VLAN ID specified. When you select RADIUS and Static, the RADIUS server tells the access point which VLAN ID to use for a given user. If a user does not have a VLAN ID attribute assigned, the access point uses the bridge to VLAN ID specified.
Specify the settings.
Option Description Encryption Encryption algorithm to use for network traffic. We recommend you use AES. Time-based access Allow access to the wireless network according to the specified schedule. Client isolation Prevent traffic among wireless clients that connect to the same SSID on the same radio. You use this setting typically on guest networks. Hide SSID Do not show the wireless network SSID. Fast transition Force wireless networks to use the IEEE 802.11r standard.Note This feature doesn't work between Sophos legacy access points and Sophos APX series access points. MAC filtering Allow or block clients from connecting to the wireless network based on their MAC addresses.
Go to Wireless > Access points and add the wireless network to an access point.