In this previous guide I explained how to setup a guest network using a separate wireless access point. This guide will show you how to setup a guest wireless network on a separate VLAN using the Apple Airport Extreme/Time Capsule’s guest network feature. This guide assumes the Apple Airport is connected directly to Sophos XG (i.e. no switches).
1. Enable the guest wireless network on your Apple Airport using the Airport Utility application on your Mac or iOS device and setup your SSID name and password as desired. Click ‘Update’.
2. From the Sophos XG web user interface, we need to add the VLAN by accessing the ‘Interfaces’ tab on the ‘Network’ page and select ‘Add Interface’ -> ‘Add VLAN’. Configure the following settings:
- Physical Interface: Specify the port that your Apple Airport is plugged into the Sophos XG device on.
- Zone: Specify the Zone that the VLAN will be assigned to (typically LAN).
- VLAN ID: Set this to ‘1003’. This is the VLAN ID the Apple Airport uses for its guest wireless network.
- IP Assignment: Set this to ‘Static’.
- IPv4/Netmask: Enter an IP address for this interface that is in a different subnet than the interface for your main network. For example, if your main network interface has an IP of 172.16.16.16 (Sophos XG default), something such as ‘172.16.17.17’ will work. Leave the netmask defaulted to ’24/255.255.255.0′.
- Click ‘Save’ at the bottom.
3. Next, create an IP Host for the guest subnet to be used for a firewall rule. Access the ‘IP Host’ tab on the ‘Host and Services’ page and click ‘Add’. Configure the following settings:
- Name: Type in a name such as ‘Guest Subnet’.
- IP Version: Select ‘IPv4’.
- IP Address: Type in the IP address for this guest network. For our example, use ‘172.16.17.0’ and leave the default subnet to ‘/24 (255.255.255.0)’.
- IP Host Group: This allows you to add this IP Host to an IP Host Group but for this example, leave it blank. Click ‘Save’ at the bottom.
- Click ‘Save’ at the bottom.
4. Create a DHCP server for your guest network by accessing the ‘DHCP’ tab on the ‘Network’ page. Under the ‘Server’ section, click ‘Add’ and configure the following settings:
- Make sure the ‘IPv4’ tab is selected at the top.
- Name: Provide a name such as ‘Guest DHCP’.
- Interface: Select the VLAN interface we created earlier. (i.e. Port1 VLAN 1003 – 172.16.17.17).
- Start IP: Enter the starting IP address for the range that will be available for assignment to users on the guest network. For example, ‘172.16.17.18’
- End IP: Enter the ending IP address. For example, “172.16.17.254′.
- Subnet Mask: Leave the default of ‘/24 (255.255.255.0)’.
- Domain Name: This can be left blank.
- Gateway: Leave the default ‘Use Interface IP as Gateway’ checked.
- Default Lease Time/Max Lease Time: Leave the default values.
- Conflict Detection: Enable this so clients aren’t being assigned the same IP address.
- Select ‘Use Device’s DNS Settings’ unless you want to specify a separate DNS server for your guest network. See my other blog post regarding DNS servers.
- Leave the ‘WINS Server’ fields blank unless this is something you specifically need.
- Click ‘Save’ at the bottom.
5. The last step is to create a firewall rule that will allow users on the guest network to access the internet. Access the ‘Firewall’ page and click ‘Add Firewall Rule’ -> ‘User/Network Rule’. If you’re unfamiliar with the firewall rule settings, see my previous guide on firewall rules. Configure the following settings:
- Rule Name: Provide a name such as ‘Guest Network’.
- Description: Provide a description as desired.
- Action: Accept
- Source Zone: Select ‘LAN’ since this is the zone we added the guest interface to.
- Source Networks and Devices: Select the IP Host we created in step 4, ‘Guest Subnet’.
- During Scheduled Time: Set this as desired but for this example, we’ll leave it set to ‘All the Time’.
- Destination Zone: Select ‘WAN’ since we want users to be able to access our ISP modem/internet.
- Destination Networks: Select ‘Any’ since we don’t know exactly what protocols and/or ports our guest users will be utilizing.
- Configure the rest of the settings as desired and click ‘Save’ at the bottom.
6. You should now be able to connect to your guest network and have full access to the internet. Of note, you can still access your Sophos XG web user interface from this guest network since the interface falls under the ‘LAN’ zone. See my other post on completely isolating the guest and local networks.
(Optional) If desired, you can limit the bandwidth available for your guest users by creating a Traffic Shaping Policy for the firewall rule we just created. You can create a new policy from the firewall rule page itself by clicking the ‘Traffic Shaping Policy’ drop down and click ‘Create new’. This page can also be accessed on the ‘Traffic Shaping’ tab on the ‘System Services’ page. Configure the following settings:
- Name: Provide a name such as ‘Guest Rule’.
- Policy Association: Select ‘Rule’ since this will be applied to a firewall rule.
- Rule Type: Select ‘Limit’ as the goal is to limit the available bandwidth to guest users.
- Limit Upload/Download Separately: As the name implies, you can set a limit on the limit and download bandwidth throughput separately. For this example, select ‘Enable’.
- Priority: This settings allows you to define priorities such that if you have multiple traffic shaping policies, Sophos XG will know how to prioritize the various connections. For this example, select ‘3 – (Normal)’ as our guest users just need basic internet access.
- Upload Bandwidth: Specify the maximum upload speed in KBps (not to be confused with Kbps). Search for ‘Mbps to KBps’ using google to convert Mbps which is most commonly for bandwidth speeds to KBps. For example, if I want to limit my guest users upload to 10 Mbps, enter ‘1250’ into this field.
- Download Bandwidth: Same as above except for the download speed. For example, if I want to limit guest users to a download of 100 Mbps, enter ‘12500’ into this field.
- Bandwidth Usage Type: Leave ‘Individual’ selected as this policy will apply to the entire guest firewall rule. Click ‘Save’ at the bottom.
Make sure to assign this new Traffic Shaping Policy to your guest firewall rule.
Additionally, if you have appliances or smart home devices that connect to your wireless network, it’s typically good practice to separate them from your private network (i.e. connect them to your guest wireless network). Many of these devices such as TVs can be a weak point in a secure network based on poorly written software/firmware that isn’t updated regularly. However, if your devices are integrated with a smart home hub or through an app via your local network, this will cause issues if your hub or mobile device is on a separate VLAN from your smart home device. There are ways to create firewall rules and use multicast forwarding to resolve these issues, but it can sometimes be more work than it’s worth.