RED 15w
In general all wireless modes (Separate Zone, Bridge to AP LAN and Bridge to VLAN) are supported by RED 15w. The actual meaning of the modes can vary depending on the mode that is actually selected.
Standard/Unified and Standard/Split
In Standard/Unified mode, all traffic of the RED is sent to Sophos UTM on AWS.
In Standard/Split mode, all traffic of the RED that is part of networks listed in the Split Networks is sent to Sophos UTM on AWS. All other traffic is sent to the default gateway specified by the remote DHCP server. Normally, this would be the Internet router where the RED is connected to at the remote site.
The following preconditions must be met for wireless:
- RED tunnel interface on the Sophos UTM on AWS site is up and has an IP address
- DHCP server is running on the RED tunnel interface
- DNS can be resolved on this RED interface
- Firewall allows traffic from the RED interface to Sophos UTM on AWS for AWE client and VXLAN (RFC 7348) (only for Separate Zone).
- RED interface is added to the Allowed Interfaces section under Wireless Protection > Global Settings
Separate Zone: All traffic from a separate zone network is sent to Sophos UTM on AWS using VXLAN protocol. The VXLAN packets are not encrypted but will be encrypted on the way to Sophos UTM on AWS while crossing the RED tunnel. The separate zone networks are connected to each other on the Sophos UTM on AWS site as usual. The firewall has to allow this type of traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This includes LAN ports 1–4. Clients connected to this SSID are able to reach the RED tunnel endpoint interface on the Sophos UTM on AWS site if the firewall is configured to allow traffic from the RED network to this interface (enabled by default).
Bridge to VLAN (Standard/Unified): The RED will tag all traffic from clients that are connected to this SSID using the configured VLAN tag. Clients are able to reach all network devices with the same VLAN tag that are connected to LAN port 1–4 as well as a VLAN tagged interface on top of the tunnel endpoint interface on the Sophos UTM on AWS site.
Bridge to VLAN (Standard/Split): The clients are able to reach all hosts behind the RED that own the same VLAN tag. Also the tunnel endpoint is reachable if a VLAN interface is configured on top of the RED interface on the Sophos UTM on AWS site. The split networks cannot be reached as these are routed for untagged packets only.
Transparent/Split
In this mode, only networks listed in the Split Networks list are reachable through Sophos UTM on AWS. All other networks are routed through the Internet-providing router at the remote site. The remote network also provides DHCP and DNS. That means the RED tunnel endpoint interface on the Sophos UTM on AWS site has to obtain an IP address by the remote DHCP server. The following preconditions must be met for wireless:
- RED tunnel interface on the Sophos UTM on AWS site is up and has an IP address
- DNS can be resolved on this RED interface
- Firewall allows traffic from the RED interface to Sophos UTM on AWS for AWE client and VXLAN (RFC 7348) (only for Separate Zone).
- RED interface is added to the Allowed Interfaces section under Wireless Protection > Global Settings
- The remote DHCP server has to provide the DHCP option 234 which must contain the IP address of the RED interface on the Sophos UTM on AWS site. Otherwise the fallback IP 1.2.3.4 is used.
Separate Zone is the same as for Standard/Unified and Standard/Split.
Bridge to AP LAN is the same as for Standard/Unified and Standard/Split.
Bridge to VLAN: The clients are able to reach all hosts behind the RED that own the same VLAN tag on LAN ports 1–4 as well as on the WAN port. The split networks cannot be reached as these are routed for untagged packets only.