Wireless networks
A wireless network provides common connection settings for wireless clients. These settings include SSID, security mode, and the method for handling client traffic.
Sophos Firewall's WiFi interface shows the unplugged status until you connect and add a wireless network to an access point.
General settings
You can configure the following general settings for wireless networks:
-
Security mode: The security mode for your network. Select from the following options:
- No Encryption: Not recommended. This option leaves the wireless network unsecured.
- WEP Open: Use Wireless Equivalent Privacy (WEP) authentication. You must also configure a Key.
- WPA Personal: Use Wi-Fi Protected Access (WPA) authentication. You must also configure a Passphrase.
- WPA2 Personal: Use WPA2 authentication. You must also configure a Passphrase.
- WPA2/WPA Personal: Use WPA2/WPA mixed-mode authentication. You must also configure a Passphrase.
- WPA Enterprise: Use WPA enterprise authentication. You must also configure a RADIUS server.
- WPA2 Enterprise: Use WPA2 enterprise authentication. You must also configure a RADIUS server.
- WPA2/WPA Enterprise: Use WPA2/WPA mixed-mode enterprise authentication. You must also configure a RADIUS server.
- WPA3 Personal: Use WPA3 authentication. You must also configure a Passphrase.
- WPA3 Enterprise: Use WPA3 enterprise authentication. You must also configure a RADIUS server.
- WPA2/WPA3 Personal: Use WPA2/WPA3 mixed-mode authentication. You must also configure a Passphrase.
Note
Only Sophos Firewall models XGS 88w, 108w, 118w, and 128w support WPA3 Personal, WPA3 Enterprise, and WPA2/WPA3 Personal.
-
Client traffic: The method for integrating traffic on the wireless network into your local network. You can select from the following options:
-
Separate zone: The wireless network is handled as a separate network with the specified IP address range. You must select the Zone you want and enter an IP address and Netmask for the network.
Use this option to configure firewall rules for the specified SSIDs. All traffic from a separate zone network is sent to Sophos Firewall using the Virtual Extensible LAN (VXLAN) protocol. VXLAN is a virtual tunnel that encapsulates layer 2 Ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can take one of the following steps:
- Use Bridge to AP LAN or Bridge to VLAN.
- If you must use a separate zone, lower the MTU value on users' endpoint devices.
-
Bridge to AP LAN: The wireless network is bridged into the network of the selected access point. Clients share the IP address range of the access point.
- Bridge to VLAN: The wireless network is bridged into a VLAN. Use this method when you want access points to be in a common network that's separate from the wireless clients. You must enter the Bridge to VLAN id and choose whether the Client VLAN ID is Static or RADIUS & Static.
-
Advanced settings
You can configure the following advanced settings for wireless networks:
-
Encryption: The encryption algorithm to use for network traffic. We recommend you use AES.
Note
Sophos Firewall models XGS 88w, 108w, 118w, and 128w don't support TKIP or AES/TKIP on LocalWiFi0. You can create wireless networks using legacy encryption modes, but you can't assign them to LocalWiFi0.
-
Frequency band: The frequency bands your wireless network is broadcast on. Choose 2.4 GHz, 5 GHz, or 2.4 and 5 GHz.
- Time-based access: Allow access to the wireless network according to the specified schedule. Click Add new item and choose a schedule to apply. You can also create your own schedule.
- Client isolation: Prevent traffic among wireless clients that connect to the same SSID on the same radio. You typically use this setting on guest networks.
- Hide SSID: Don't show the wireless network SSID.
-
Fast transition: Force wireless networks to use the IEEE 802.11r standard. You must use WPA2 as your Security mode.
Note
This feature doesn't work on APX access points.
-
MAC filtering: Allow or block clients from connecting to the wireless network using MAC address lists.
More resources