Add a wireless network
You can create an unlimited number of wireless networks in Sophos Firewall. To add a wireless network, do as follows:
- Go to Wireless > Wireless networks and click Add.
Enter a name. You can change this later.
Maximum number of characters: 58
Allowed characters: All characters except
The interface's customizable name rather than the hardware name is shown in other settings.
Enter a hardware name for the interface. You can't change this name later.
Maximum number of characters: 10
Allowed characters: (A-Za-z0-9_)
Enter the Service Set Identifier (SSID).
The SSID is a unique identifier attached to the header of packets sent over a wireless local-area network. It identifies the wireless network to users. The SSID can consist of 1-32 ASCII printable characters.
Select a security mode.
We recommend you select WPA2. The firewall supports IEEE 802.11r on networks that are secured with WPA2.
You'll need to enter a passphrase or key depending on the security mode you choose.
When using enterprise authentication, you must also configure a RADIUS server. Use the wireless network name as the NAS ID.
From the Client traffic list, select the method for integrating traffic on the wireless network into your local network. You can choose from the following:
Separate zone: The wireless network is handled as a separate network with the specified IP address range. Use this option to configure firewall rules for the specified SSIDs. When you create a network as a separate zone, the firewall creates a corresponding Virtual Extensible LAN (VXLAN) tunnel. To assign an IP address and gateway to clients, create a DHCP server for the interface. VXLAN is a virtual tunnel that encapsulates layer 2 ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:
- Use Bridge to AP LAN or Bridge to VLAN.
- If you must use a separate zone, lower the MTU value on users' endpoint devices.
Bridge to AP LAN: The wireless network is bridged into the network of the selected access point. Clients share the IP address range of the access point. When you add a network of this type to an access point, the firewall creates a corresponding interface. To deploy the network in bridge mode, create a bridge interface. To deploy the network in gateway mode, specify a zone and IP address, and create a DHCP server.
- Bridge to VLAN: The wireless network is bridged into a VLAN. Use this method when you want access points to be in a common network that is separate from the wireless clients. When using enterprise authentication, you can specify how the client VLAN ID is defined. When you select Static, the access point always uses the bridge to VLAN ID specified. When you select RADIUS and Static, the RADIUS server tells the access point which VLAN ID to use for a given user. If a user doesn't have a VLAN ID attribute assigned, the access point uses the bridge to VLAN ID specified.
Specify the advanced settings. You can configure the following settings:
- Encryption: The encryption algorithm to use for network traffic. We recommend you use AES.
Frequency band: The frequency band the network will broadcast on.
Sophos XGS 87w and 107w models can only broadcast on a single frequency band: 2.4 GHz or 5 GHz. Sophos XGS 116w, 126w, and 136w models can broadcast both 2.4 GHz and 5 GHz frequency bands simultaneously only if a second wireless radio module is installed in the expansion bay.
Time-based access: Allow access to the wireless network according to the specified schedule.
- Client isolation: Prevent traffic among wireless clients that connect to the same SSID on the same radio. You use this setting typically on guest networks.
- Hide SSID: Don't show the wireless network SSID.
Fast transition: Force wireless networks to use the IEEE 802.11r standard.
This feature doesn't work on Sophos AP and APX series access points.
MAC filtering: Allow or block clients from connecting to the wireless network based on their MAC addresses.
- Go to Wireless > Access points and add the wireless network to an access point.