Asus AP mode "light" possible? (use behind Sophos Firewall)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dffvb

Occasional Visitor
Hi there, I recently setup a Sophos XG and of course it is not really sufficient, if the is only one user (my ASUS AC88U). So I activated AP mode, which worked great until I realized that the guest network separation does not work here. Also bandwith limitations do not work. So the question is:

Can I enable an AP mode light? Like deactivating the firewall, maybe enable routing etc.... Any ideas, on how to make the FW the main player and conserve Guest network separation?
 

ColinTaylor

Part of the Furniture
I'm not really sure what you're expecting to do here. The guest network separation and bandwidth limiting is built into the Asus' routing design. So to get those features the Asus needs to be configured in "router mode".
 

dffvb

Occasional Visitor
Yes - and I was wondering if and if yes, how to "open" the router to the firewall, so the firewall can identify individual users, as far as I understand disabling DHCP doesnt really help, because I would have to configure the clients individually?

In a nutshell :

Can I configure the Asus router im a way, that the sophos machine can identify individual users and keep network separation enabled?

In case I leave it as is, what would I have to do to access from the sophos network (10.0.3.1) to the asus network (10.02.1), disabling the firewall didnt help...
 

ColinTaylor

Part of the Furniture
For the Sophos to be able to identify individual users on the Asus network you would have to turn off NAT on the Asus.

To be able to access clients on the Asus network from the Sophos network you would have to either a) port forward all required ports on the Asus, or b) turn off the Asus' firewall and create a static route on the Sophos.

If you try this I don't know whether that will break the guest network's isolation or not. It's not something I've tried, and of course the way guest networks are implemented in the new firmware is different than before.
 

dffvb

Occasional Visitor
So I disabled NAT, enabled the route in the test router (not yet Sophos) , and so far it works. Guest network separated. Clients from LAN1 can access LAN2 (Asus) - you do have to forward the ports though. Thanks a lot :) Last question: Do you know by chance, how to unify DHCP for both networks? Would the Asus acceppt the Sopos seeking DHCP? Or is the chance to make the Asus get DHCP from Sophos?
 

ColinTaylor

Part of the Furniture
Do you know by chance, how to unify DHCP for both networks? Would the Asus acceppt the Sopos seeking DHCP? Or is the chance to make the Asus get DHCP from Sophos?
You would have to customise the Asus to act as a DHCP relay. This kind of customisation isn't possible with stock firmware.
 

RMerlin

Asuswrt-Merlin dev
An AP has no control over the rest of your network, therefore it cannot do any kind of guest isolation - that has to be handled by the primary router. This is a technical limitation, what you want to do is simply not possible.
 

dffvb

Occasional Visitor
I have it virtualized on Hyper V - I managed to get it working, however the DHCP on the Sophos is a complete mess. Once I created a bridge between physical and virtual NICS to serve them all together, the Asus Router didn't want to connect any longer via DHCP, nor static IP. So yes in theory its work
 

jtjbt20x

Occasional Visitor
If you had a hardware XG you could put one AP for a guest wifi network on one ethernet port and one AP for regular users on another ethernet port. That and a few changes to the configuration (a new Guest WIFI zone, a DHCP server for each ethernet port, some firewall rules, etc.) should provide the isolation from the guest network. It should work on the Hyper-V if you have enough physical ethernet ports available to it. What version of SFOS are you using? 17.5 or 18?
 

karma

Regular Contributor
unfortunately I'm guessing all Asus routers in AP mode do not support vlan tagging otherwise it would be a trivial thing to do. Personally I'm looking into getting a couple of new APs with wireless mesh which support that which is a pity because I like the XT8s I have.
 
Last edited:

dffvb

Occasional Visitor
If you had a hardware XG
Emphasis on "if" ;-) I know that buying a Sophos AP would solve the problem, but I am in doubt, it has the same coverage like the 88u - I need this for my various musiccast speakers. I am using xg 18. I am really fed up now with the sophos ...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top