Wireless Networks

On the Wireless Protection > Wireless Networks page you can define your wireless networks, such as their SSIDClosed and encryption method. Moreover, you can define whether the wireless network should have a separate IP address range or be bridged into the LAN of the access point.

To define a new wireless network, do the following:

  1. On the Wireless Networks page, click Add Wireless Network.

    The Add Wireless Network dialog box opens.

  2. Make the following settings:

    Network name: Enter a descriptive name for the network.

    Network SSID: Enter the Service Set Identifier (SSID) for the network which will be seen by clients to identify the wireless network. The SSID may consist of 1-32 ASCII printable characters1. It must not contain a comma and must not begin or end with a space.

    Encryption mode: Select an encryption mode from the drop-down list. Default is WPAClosed 2 Personal. We recommend to prefer WPA2 over WPA, if possible. For security reasons, it is recommended to not use WEPClosed unless there are clients using your wireless network that do not support one of the other methods. When using an enterprise authentication method, you also need to configure a RADIUS server on the Global Settings > Advanced tab. As NAS ID of the RADIUS server enter the wireless network name.

    Note – Sophos UTM supports the IEEE 802.11r standard in WPA2 (PSK/Enterprise) networks to reduce roaming times. Clients also need to support the IEEE 802.11r standard.

    Passphrase/PSK: Only available with WPA/WPA2 Personal encryption mode. Enter the passphrase to protect the wireless network from unauthorized access and repeat it in the next field. The passphrase may consist of 8-63 ASCII printable characters.

    128-bit WEP key: Only available with WEP encryption mode. Enter a WEP key here that exactly consists of 26 hexadecimal characters.

    Client traffic: Select a method how the wireless network is to be integrated into your local network.

    Note – If you use RED 15w as access point please see chapter Wireless Protection > Access Points > RED 15w for extensive information on configuration.

    Comment (optional): Add a description or other information.

  3. Optionally, make the following advanced settings:

    Algorithm (only available with WPA/WPA2 encryption mode): Select an encryption algorithm which can be either AESClosed or TKIPClosed. For security reasons, it is recommended to use AES.

    Frequency band: The access points assigned to this wireless network will transmit on the selected frequency band(s). The 5 GHz band generally has higher performance, lower latency, and is typically less disturbed. Hence it should be preferred for e.g. VoIP communication. For more information on which AP types support the 5 GHz band, see Wireless Protection> Access Points.

    Time-based access: Select this option if you want to automatically enable and disable the wireless network according to a time schedule.

    Select active time: Select a time period definition which determines when the wireless network is enabled. You can add a new time period definition by clicking the Plus icon.

    Client isolation: Prevent traffic among wireless clients that connect to the same SSID on the same radio. This setting is typically used on guest networks.

    Hide SSID: If you want to hide your SSID, select Yes from the drop-down list. Please note that this is no security feature.

    Fast Transition (only available with WPA2 Personal/Enterprise encryption mode): Wireless networks with WPA2 encryption use the IEEE 802.11r standard. If you want prevent this, select Disabled from the drop-down list.

    MAC filtering type: To restrict the MAC addresses allowed to connect to this wireless network, select Blacklist or Whitelist. With Blacklist, all MAC addresses are allowed except those listed on the MAC address list selected below. With Whitelist, all MAC addresses are prohibited except those listed on the MAC address list selected below.

    MAC addresses: The list of MAC addresses used to restrict access to the wireless network. MAC address lists can be created on the Definitions & Users > Network Definitions > MAC Address Definitions tab. Note that it is not recommended to have more than 5000 MAC addresses.

  4. Click Save.

    Your settings will be saved. The wireless network appears on the Wireless Networks list.

Next Steps for Separate Zone Networks

When you created a wireless network with the option Separate Zone, a new corresponding virtual hardware interface will be created automatically, e.g., wlan0. To be able to use the wireless network, some further manual configuration steps are required. Proceed as follows:

  1. Configure a new network interface.

    On the Interfaces & Routing > Interfaces > Interfaces tab create a new interface and select your wireless interface (e.g., wlan0) as hardware. Make sure that type is “Ethernet” and specify the IP address and netmask of your wireless network.

  2. Enable DHCP for the wireless clients.

    For your clients to be able to connect to Sophos UTM, they need to be assigned an IP address and a default gateway. Therefore, on the Network Services > DHCP > Servers tab, set up a DHCP server for the interface.

  3. Enable DNS for the wireless clients.

    For your clients to be able to resolve DNS names they have to get access to DNS servers. On the Network Services > DNS > Global tab, add the interface to the list of allowed networks.

  4. Create a NAT rule to mask the wireless network.

    As with any other network you have to translate the wireless network's addresses into the address of the uplink interface. You create the NAT rule on the Network Protection > NAT > Masquerading tab.

  5. Create one or more packet filter rules to allow traffic from and to the wireless network.

    As with any other network you have to create one or more packet filter rules to allow the traffic to pass Sophos UTM, e.g., web surfing traffic. You create packet filter rules on the Network Protection > Firewall > Rules tab.

Related Topics Link IconRelated Topics
© 2019 Sophos Limited Sophos UTM 9.600