Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=wireless-network-deploy-bridge

Bridge wireless traffic to the LAN

When using the built-in access point on a wireless Sophos Firewall (LocalWiFi), you can allow specific wireless clients to connect to the access point and use the same IP address range as LAN devices. To do this, you must create a wireless network for the allowed devices, add it to the built-in access point, and bridge the wireless traffic to the LAN.

Note

Bridging wireless traffic to the LAN is required only when using the built-in access point on wireless Sophos Firewall models. It's not required when using external APX access points.

Create a wireless network for allowed devices

You must create a wireless network with MAC filtering turned on so that only devices on the Allow list can connect.

  1. Go to Wireless > Wireless networks and click Add.

  2. Enter a Name.

    The name helps you identify the network when adding it to access points.

  3. Enter an SSID.

    The SSID is the name of the network that wireless devices will see and connect to.

  4. Select a Security mode.

    We recommend using the strongest security mode supported by your environment.

  5. Enter a Passphrase. The passphrase must be from 8 to 63 characters.

  6. For Client traffic, select Bridge to AP LAN.
  7. Expand Advanced settings.

  8. For MAC filtering, select Allow list.

    Note

    If you haven't created any MAC lists, you won't see any MAC filtering options. Go to Hosts and services > MAC host and create a MAC list. See Add a MAC host.

  9. For MAC list, select the MAC list for the hosts you want to allow.

  10. Click Save.

    The firewall creates a wireless network and a corresponding virtual interface. Devices that aren't on the allowed MAC list can't access the network.

Add the wireless network to LocalWiFi

A wireless network needs an access point to broadcast it so wireless devices can connect to it. Add the wireless network to LocalWiFi.

  1. Go to Wireless > Access points.
  2. Click the name of the LocalWiFi access point in the ID column or click Edit Edit button. in the Manage column to assign a wireless network to that access point.
  3. Select the country where the access point is located.
  4. Under Wireless networks, click Add new item.
  5. Select the wireless network you want to assign to the access point.
  6. Click Save.

Bridge the wireless traffic to the LAN

When using the built-in access point on a wireless Sophos Firewall, you must bridge traffic to the LAN so that connected wireless devices can use the same IP address range as devices on the wired LAN. You must either create a bridge interface or turn on Bridge to Ethernet for the LocalWiFi access point, depending on your Sophos Firewall model.

Click the appropriate tab to see how to bridge the wireless traffic to the wired LAN.

For XGS 87w, 107w, 116w, 126w, and 136w models, you must create a bridge interface.

  1. Go to Network > Interfaces.
  2. Click Add interface and select Add bridge.

  3. Enter a Name, using a maximum of 58 characters. You can change this later.

    This name, rather than the hardware name, is shown in other settings.

  4. Enter a Hardware name, using a maximum of 10 letters, numbers, and underscores. You can't change this later.

  5. Under Member interfaces, select your wireless interface and set the Zone to WiFi. Select the interface you want to bridge it with and set the Zone to LAN.

    If you want to bridge more interfaces, click Add Add.

  6. Select IPv4 configuration.

  7. Enter the IPv4 address you want to use for the interface. Select the subnet mask from the drop-down list.
  8. Click Save.

For XGS 88w, 108w, 118w, and 128w models, you must turn on Bridge to Ethernet in the access point's Advanced settings.

  1. Go to Wireless > Access points.
  2. Click the name of the LocalWiFi access point in the ID column or click Edit Edit button. in the Manage column to edit the access point's settings.
  3. Under Advanced settings, select Bridge to Ethernet.
  4. Select the port you want to bridge the access point to.
  5. Select LAN for the Zone.
  6. Click Save.

Wireless traffic from allowed devices connected to the SSID is now bridged to the LAN, allowing them to receive IP addresses in that range and communicate with other devices based on LAN traffic rules.