Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a wireless network

You can create an unlimited number of wireless networks in Sophos Firewall. To add a wireless network, do as follows:

  1. Go to Wireless > Wireless networks and click Add.
  2. Enter a Name. You can change this later.

    Maximum number of characters: 58

    Allowed characters: All characters except '"<>#%\/,

    The interface's customizable name rather than the hardware name is shown in other settings.

  3. Enter the Hardware name for the interface. You can't change this name later.

    Maximum number of characters: 10

    Allowed characters: (A-Za-z0-9_)

  4. Enter the Service Set Identifier (SSID).

    The SSID is a unique identifier attached to the header of packets sent over a wireless local-area network. It identifies the wireless network to users. The SSID can consist of 1-32 ASCII printable characters.

  5. Select a Security mode. We recommend using the strongest encryption mode that your environment supports.

    Note

    Only Sophos Firewall models XGS 88w, 108w, 118w, and 128w support WPA3 Personal, WPA3 Enterprise, and WPA2/WPA3 Personal.

    You may need to enter a passphrase or key depending on the Security mode you select.

    When using enterprise authentication, you must also configure a RADIUS server. Use the wireless network name as the NAS ID.

  6. From the Client traffic list, select the method for integrating traffic on the wireless network into your local network. You can choose from the following:

    • Separate zone: The wireless network is handled as a separate network with the specified IP address range. Use this option to configure firewall rules for the specified SSIDs. When you create a network as a separate zone, the firewall creates a corresponding Virtual Extensible LAN (VXLAN) tunnel. To assign an IP address and gateway to clients, create a DHCP server for the interface. VXLAN is a virtual tunnel that encapsulates layer 2 ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:

      • Use Bridge to AP LAN or Bridge to VLAN.
      • If you must use a separate zone, lower the MTU value on users' endpoint devices.
    • Bridge to AP LAN: The wireless network is bridged into the network of the selected access point. Clients share the IP address range of the access point. When you add a network of this type to an access point, the firewall creates a corresponding interface. To deploy the network in bridge mode, create a bridge interface. To deploy the network in gateway mode, specify a zone and IP address, and create a DHCP server.

    • Bridge to VLAN: The wireless network is bridged into a VLAN. Use this method when you want access points to be in a common network that is separate from the wireless clients. When using enterprise authentication, you can specify how the client VLAN ID is defined. When you select Static, the access point always uses the bridge to VLAN ID specified. When you select RADIUS and Static, the RADIUS server tells the access point which VLAN ID to use for a given user. If a user doesn't have a VLAN ID attribute assigned, the access point uses the bridge to VLAN ID specified.
  7. Specify the advanced settings. You can configure the following settings:

    • Encryption: The encryption algorithm to use for network traffic. We recommend you use AES.

      Note

      Sophos Firewall models XGS 88w, 108w, 118w, and 128w don't support TKIP or AES/TKIP on LocalWiFi0. You can create wireless networks using legacy encryption modes, but you can't assign them to LocalWiFi0.

    • Frequency band: The frequency band the network will broadcast on.

      Restrictions

      Sophos Firewalls with integrated wireless radios have the following restrictions:

      • Sophos XGS 87w and 107w models can only broadcast on a single frequency band: 2.4 GHz or 5 GHz.
      • Sophos XGS 116w, 126w, and 136w models can broadcast both 2.4 GHz and 5 GHz frequency bands simultaneously only if a second wireless radio module is installed in the expansion bay.
      • Sophos XGS 88w, 108w, 118w, and 128w can broadcast the 2.4 GHz and 5 GHz frequency bands simultaneously without the addition of a wireless radio expansion module.
    • Time-based access: Allow access to the wireless network according to the specified schedule.

    • Client isolation: Prevent traffic among wireless clients that connect to the same SSID on the same radio. You use this setting typically on guest networks.
    • Hide SSID: Don't show the wireless network SSID.
    • Fast transition: Force wireless networks to use the IEEE 802.11r standard. You must use WPA2 as your Security mode.
    • MAC filtering: Allow or block clients from connecting to the wireless network based on their MAC addresses.
  8. Click Save.

Next steps

  • Go to Wireless > Access points and add the wireless network to an access point.

More resources