On the Wireless Protection > Wireless Networks page you can define your wireless networks, such as their SSIDService Set Identifier and encryption method. Moreover, you can define whether the wireless network should have a separate IP address range or be bridged into the LAN of the access point.
To define a new wireless network, do the following:
On the Wireless Networks page, click Add Wireless Network.
The Add Wireless Network dialog box opens.
Make the following settings:
Network name: Enter a descriptive name for the network.
Network SSID: Enter the Service Set Identifier (SSID) for the network which will be seen by clients to identify the wireless network. The SSID may consist of 1-32 ASCII printable charactershttp://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters1. It must not contain a comma and must not begin or end with a space.
Encryption mode: Select an encryption mode from the drop-down list. Default is WPAWi-Fi Protected Access 2 Personal. We recommend to prefer WPA2 over WPA, if possible. For security reasons, it is recommended to not use WEPWired Equivalent Privacy unless there are clients using your wireless network that do not support one of the other methods. When using an enterprise authentication method, you also need to configure a RADIUS server on the Global Settings > Advanced tab. As NAS ID of the RADIUS server enter the wireless network name.
Note – Sophos UTM supports the IEEE 802.11r standard in WPA2 (PSK/Enterprise) networks to reduce roaming times. Clients also need to support the IEEE 802.11r standard.
Passphrase/PSK: Only available with WPA/WPA2 Personal encryption mode. Enter the passphrase to protect the wireless network from unauthorized access and repeat it in the next field. The passphrase may consist of 8-63 ASCII printable characters.
128-bit WEP key: Only available with WEP encryption mode. Enter a WEP key here that exactly consists of 26 hexadecimal characters.
Client traffic: Select a method how the wireless network is to be integrated into your local network.
Note – If you use RED 15w as access point please see chapter Wireless Protection > Access Points > RED 15w for extensive information on configuration.
Separate zone (default): The wireless network is handled as a separate network with the specified IP address range.
When you create a network as a separate zone, Sophos UTM creates a corresponding VXLAN tunnel. All traffic from the separate zone network is sent to Sophos UTM using the Virtual Extensible LAN (VXLAN) protocol. VXLAN is a virtual tunnel that encapsulates layer 2 Ethernet frames within layer 3 IP packets. Encapsulation lowers the available MTU size. Lower MTU results in higher fragmentation and may slow the traffic at times. To prevent this issue, you can do one of the following:
- Use Bridge to AP LAN or Bridge to VLAN.
- If you must use a separate zone, lower the MTU value on users' endpoint devices.
If you select Separate zone, after adding the wireless network, continue your setup as described in the section below (Next Steps for Separate Zone Network).
Note – When switching an existing Separate Zone network to Bridge to AP LAN or Bridge to VLAN, already configured WLAN interfaces on Sophos UTM will be disabled and the interface object will become unassigned. However, you can assign a new hardware interface to the interface object by editing it and thus re-enable it.
Bridge to AP LAN: You can bridge a wireless network into the network of an access point, that means that wireless clients share the same IP address range.
For Local WiFi DeviceSG appliance with WiFi capability on board: To create a Bridge to AP LAN you need to edit the Local WiFi Device on the Wireless Protection > Access Points > Overview tab and enable bridged to AP LAN. In addition, you need to create a new interface on the Interfaces & Routing > Interfaces > Interfaces tab and select the bridge. You also need to have a DHCP server on the Network Services > DHCP > Servers tab so that the client can receive an IP.
Note – If VLAN is enabled, the wireless clients will be bridged into the VLAN network of the access point.
Bridge to VLAN (not available for Local WiFi Devices): You can decide to have this wireless network's traffic bridged to a VLAN of your choice. This is useful when you want the access points to be in a common network separate from the wireless clients.
Bridge to VLAN ID: Enter the VLAN ID of the network that the wireless clients should be part of.
Client VLAN ID (only available with an Enterprise encryption mode): Select how the VLAN ID is defined:
- Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.
- RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server: When users connect to one of your wireless networks and authenticate at your RADIUS server, the RADIUS server tells the access point what VLAN ID to use for each user. Thus, when using multiple wireless networks, you can define per user who has access to which internal networks. For users who have not a VLAN ID attribute assigned, the VLAN ID defined in the Bridge to VLAN ID field will be used.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
Algorithm (only available with WPA/WPA2 encryption mode): Select an encryption algorithm which can be either AESAdvanced Encryption Standard or TKIPTemporal Key Integrity Protocol. For security reasons, it is recommended to use AES.
Frequency band: The access points assigned to this wireless network will transmit on the selected frequency band(s). The 5 GHz band generally has higher performance, lower latency, and is typically less disturbed. Hence it should be preferred for e.g. VoIP communication. For more information on which AP types support the 5 GHz band, see Wireless Protection> Access Points.
Time-based access: Select this option if you want to automatically enable and disable the wireless network according to a time schedule.
Select active time: Select a time period definition which determines when the wireless network is enabled. You can add a new time period definition by clicking the Plus icon.
Client isolation: Prevent traffic among wireless clients that connect to the same SSID on the same radio. This setting is typically used on guest networks.
Hide SSID: If you want to hide your SSID, select Yes from the drop-down list. Please note that this is no security feature.
Fast Transition (only available with WPA2 Personal/Enterprise encryption mode): Force wireless networks to use the IEEE 802.11r standard.
Note – This feature doesn’t work between Sophos legacy access points and Sophos APX series access points.
MAC filtering type: To restrict the MAC addresses allowed to connect to this wireless network, select Blacklist or Whitelist. With Blacklist, all MAC addresses are allowed except those listed on the MAC address list selected below. With Whitelist, all MAC addresses are prohibited except those listed on the MAC address list selected below.
MAC addresses: The list of MAC addresses used to restrict access to the wireless network. MAC address lists can be created on the Definitions & Users > Network Definitions > MAC Address Definitions tab. Note that it is not recommended to have more than 5000 MAC addresses.
Your settings will be saved. The wireless network appears on the Wireless Networks list.
Next Steps for Separate Zone Networks
When you created a wireless network with the option Separate Zone, a new corresponding virtual hardware interface will be created automatically, e.g., wlan0. To be able to use the wireless network, some further manual configuration steps are required. Proceed as follows:
Configure a new network interface.
On the Interfaces & Routing > Interfaces > Interfaces tab create a new interface and select your wireless interface (e.g., wlan0) as hardware. Make sure that type is “Ethernet” and specify the IP address and netmask of your wireless network.
Enable DHCP for the wireless clients.
For your clients to be able to connect to Sophos UTM, they need to be assigned an IP address and a default gateway. Therefore, on the Network Services > DHCP > Servers tab, set up a DHCP server for the interface.
Enable DNS for the wireless clients.
For your clients to be able to resolve DNS names they have to get access to DNS servers. On the Network Services > DNS > Global tab, add the interface to the list of allowed networks.
Create a NAT rule to mask the wireless network.
As with any other network you have to translate the wireless network's addresses into the address of the uplink interface. You create the NAT rule on the Network Protection > NAT > Masquerading tab.
Create one or more packet filter rules to allow traffic from and to the wireless network.
As with any other network you have to create one or more packet filter rules to allow the traffic to pass Sophos UTM, e.g., web surfing traffic. You create packet filter rules on the Network Protection > Firewall > Rules tab.