Using the firewall as the DHCP server for Wifi connection.
Hi All,
We have 2 APs (EAP613 and EAP670), SG2210MP Switch, Omada Controller 200, and ER7206 VPN Gateway Router. I already configured the IP addresses and other network details for all of the devices, including the SSID of the APs and the DHCP IP Pool in the router for each VLAN based on SSID. Whenever I connect to each and every SSID, I can receive different networks, which is what we expected. But what I'm trying to do is use our Sophos UTM firewall as the DHCP server instead of the ER7206 VPN Gateway Router. You can see on my network diagram the connection. I configured DHCP IP Pool in the firewall VLAN interface. Unfortunately, whenever I turn off the DHCP server option in the router and use the DHCP Relay with the firewall VLAN interface IP address as the DHCP Server IP address, the wireless devices don't get any IP addresses.
Does anyone know how to resolve this?
Your recommendations are much appreciated.
Thank you.
Oiver
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I understand now. Yes the NAT-only nature of the TPlink gateways will mess you up!
Some crazy ideas to get your creativity going:
Now the 7206 does have up to 5 WAN ports, and you can force route traffic based on subnet/VLAN via one of those physical port uplinks, but you cannot remove the NAT nature of the TPlink. That would allow you to steer based on VLAN/subnet which ISP is used, possibly removing the Sophos.
You might be able to create VPN tunnels from the 7206-WAN to the Sophos, and, again steer VLAN traffic via tunnel to preserve IPs handed out by TPlink and allow processing thereof by the Sophos at the other end of the tunnel.
In general, you will break a lot of things in the Omada space if the 7206 doesn't hand out IPs...so you might as well discard it from the config altogether, and configure the Sophos to receive all VLANs via a single trunk port from the SG2210 switch, it can then be the DHCP server AND steer traffic to ISPs as you see fit. You can create policies on the switch to isolate traffic between VLANs if that is a requirement.
- Copy Link
- Report Inappropriate Content
Hi All,
All is well now. I just configured the other WAN port (WAN/LAN3) and just configured the route from the other subnet to the other WAN port.
Thank you so much.
- Copy Link
- Report Inappropriate Content
What is the advantage of having the Sophos be the DHCP server? Can you not just apply rules based on source address etc.? Alternatively, what's the advantage of having both the 7206 and Sophos FW when 1 should be enough. Most of your ACL/VLAN isolation is done in the switch, not the gateway.
- Copy Link
- Report Inappropriate Content
Thank you for the response.
Our goal is to separate the ISP of the different companies we are managing based on the SSID they are connecting. Example: If an employee from Company A is connecting to their assigned SSID, they should get their own private network and ISP. Since we only have 1 firewall, where the different ISPs are connected, we want to separate their internet connection based on their LAN, which they get from SSID. There is a feature in Sophos UTM firewall called Multipath Rule in which you can assign a certain IP address or network to what ISP they will use.
What is the advantage of having the Sophos be the DHCP server?
- We have a control on what will be the network and ISP they will use. When I'm testing with the VPN Gateway Router as the DHCP server, the firewall cannot see the assigned network.
Can you not just apply rules based on source address etc.?
- No, as the firewall cannot see the network given by the VPN Gateway Router.
Alternatively, what's the advantage of having both the 7206 and Sophos FW when 1 should be enough.
- I actually removed the 7206 and configured the TP-Link switch as DHCP Relay for the firewall, but it doesn't work. I cannot get any IP address when connecting to Access Point.
Thank you.
- Copy Link
- Report Inappropriate Content
I understand now. Yes the NAT-only nature of the TPlink gateways will mess you up!
Some crazy ideas to get your creativity going:
Now the 7206 does have up to 5 WAN ports, and you can force route traffic based on subnet/VLAN via one of those physical port uplinks, but you cannot remove the NAT nature of the TPlink. That would allow you to steer based on VLAN/subnet which ISP is used, possibly removing the Sophos.
You might be able to create VPN tunnels from the 7206-WAN to the Sophos, and, again steer VLAN traffic via tunnel to preserve IPs handed out by TPlink and allow processing thereof by the Sophos at the other end of the tunnel.
In general, you will break a lot of things in the Omada space if the 7206 doesn't hand out IPs...so you might as well discard it from the config altogether, and configure the Sophos to receive all VLANs via a single trunk port from the SG2210 switch, it can then be the DHCP server AND steer traffic to ISPs as you see fit. You can create policies on the switch to isolate traffic between VLANs if that is a requirement.
- Copy Link
- Report Inappropriate Content
Maybe the part where I can use the 5 WAN ports is possible. I will try that and give this thread an update.
I already tried removing the 7206 and just using the SG2210 switch to set as DHCP Relay to the firewall, but I still cannot get an IP address.
Thank you.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi All,
All is well now. I just configured the other WAN port (WAN/LAN3) and just configured the route from the other subnet to the other WAN port.
Thank you so much.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 170
Replies: 7
Voters 0
No one has voted for it yet.