What's new

Asus AP mode "light" possible? (use behind Sophos Firewall)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dffvb

Occasional Visitor
Hi there, I recently setup a Sophos XG and of course it is not really sufficient, if the is only one user (my ASUS AC88U). So I activated AP mode, which worked great until I realized that the guest network separation does not work here. Also bandwith limitations do not work. So the question is:

Can I enable an AP mode light? Like deactivating the firewall, maybe enable routing etc.... Any ideas, on how to make the FW the main player and conserve Guest network separation?
 
I'm not really sure what you're expecting to do here. The guest network separation and bandwidth limiting is built into the Asus' routing design. So to get those features the Asus needs to be configured in "router mode".
 
Yes - and I was wondering if and if yes, how to "open" the router to the firewall, so the firewall can identify individual users, as far as I understand disabling DHCP doesnt really help, because I would have to configure the clients individually?

In a nutshell :

Can I configure the Asus router im a way, that the sophos machine can identify individual users and keep network separation enabled?

In case I leave it as is, what would I have to do to access from the sophos network (10.0.3.1) to the asus network (10.02.1), disabling the firewall didnt help...
 
For the Sophos to be able to identify individual users on the Asus network you would have to turn off NAT on the Asus.

To be able to access clients on the Asus network from the Sophos network you would have to either a) port forward all required ports on the Asus, or b) turn off the Asus' firewall and create a static route on the Sophos.

If you try this I don't know whether that will break the guest network's isolation or not. It's not something I've tried, and of course the way guest networks are implemented in the new firmware is different than before.
 
So I disabled NAT, enabled the route in the test router (not yet Sophos) , and so far it works. Guest network separated. Clients from LAN1 can access LAN2 (Asus) - you do have to forward the ports though. Thanks a lot :) Last question: Do you know by chance, how to unify DHCP for both networks? Would the Asus acceppt the Sopos seeking DHCP? Or is the chance to make the Asus get DHCP from Sophos?
 
Do you know by chance, how to unify DHCP for both networks? Would the Asus acceppt the Sopos seeking DHCP? Or is the chance to make the Asus get DHCP from Sophos?
You would have to customise the Asus to act as a DHCP relay. This kind of customisation isn't possible with stock firmware.
 
An AP has no control over the rest of your network, therefore it cannot do any kind of guest isolation - that has to be handled by the primary router. This is a technical limitation, what you want to do is simply not possible.
 
I have it virtualized on Hyper V - I managed to get it working, however the DHCP on the Sophos is a complete mess. Once I created a bridge between physical and virtual NICS to serve them all together, the Asus Router didn't want to connect any longer via DHCP, nor static IP. So yes in theory its work
 
If you had a hardware XG you could put one AP for a guest wifi network on one ethernet port and one AP for regular users on another ethernet port. That and a few changes to the configuration (a new Guest WIFI zone, a DHCP server for each ethernet port, some firewall rules, etc.) should provide the isolation from the guest network. It should work on the Hyper-V if you have enough physical ethernet ports available to it. What version of SFOS are you using? 17.5 or 18?
 
unfortunately I'm guessing all Asus routers in AP mode do not support vlan tagging otherwise it would be a trivial thing to do. Personally I'm looking into getting a couple of new APs with wireless mesh which support that which is a pity because I like the XT8s I have.
 
Last edited:
If you had a hardware XG

Emphasis on "if" ;-) I know that buying a Sophos AP would solve the problem, but I am in doubt, it has the same coverage like the 88u - I need this for my various musiccast speakers. I am using xg 18. I am really fed up now with the sophos ...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top