Guest network, DHCP issue - Windows Sever 2012 R2

[magnusha]

I have a small home lab at home where I have a Windows server 2012 R2 host with DNS, DHCP, firewall (Sophos UTM) and some virtual machines. Today my Asus RT-AC68U is in Access Point mode and the server distribute DHCP addresses. I tried to enable the guest wi-fi but the clients fail to connect (probably DHCP issue). Is it possible to enable a own DHCP server in the guest network? If so, how can I do it? If not, how can I configure the Asus to distribute DHCP addresses in the guest network? I do not want clients in the guest network accessing resources in my "corporate" network.

 

[netwrks]

When the AC68U is in AP mode, it is a layer two device. The routing needs to be done on whatever you are using for a router..

 

[coxhaus]

You don't need the ASUS router to handle DHCP for a guest network when you have Microsoft server handing out DHCP IP addresses. You just need to create a different network in your infrastructure and add a scope in Microsoft DHCP server for the guest network and use DHCP relay to handle DHCP requests from different networks. The way you do this is to create a VLAN with a different IP network address than your current one or you can use a another router with the WAN port plugged into your existing network. The LAN side of the additional router will be a different IP network address. You need a router which will support this. The additional router's WAN port will be set to DHCP to receive an IP address from current network. You will need to setup routing for the additional network in Sophos UTM to point to the VLAN or the other router's WAN port. I don't know how to do this with Sophos because I have not run it before. I currently run Untangle UTM this way using a layer 3 switch. You will need to turn on DHCP relay so the DHCP server will receive guest network DHCP requests and can present offers. You could use DHCP on the second router but I like all my DHCP in one place so I vote for Microsoft's DHCP server.
I think using a switch with multiple VLANs is the easy way to go but a router will work which supports real routing.

The real easy way is to use a Layer 3 switch and let the layer 3 switch handle the routing for the local network. This is what I do. It is a complicated concept but you realize how easy it is once setup. With this setup Sophos does not need to do any routing, it just needs to be made aware of the additional guest network for security reasons.

 

[coxhaus]

When the AC68U is in AP mode, it is a layer two device. The routing needs to be done on whatever you are using for a router..

So I have a question if the AC68U runs at layer 2 mode when in AP mode can he use it as a layer 2 switch and create multiple VLANs on the router in AP mode? If this is true then create 2 VLANs and trunk them to your Sophos UTM for Sophos to route. You will need to turn on VLAN trunk in Sophos NIC which probably is just turning on VLAN tagging. I don't know Sophos UTM.

Once you have the VLANs defined. Create 2 SSIDs and assign a VLAN to each. One is your guest network. I just realized you can not use the router method I described above unless you use 2 APs. You need to use VLANs to have one wireless device work with 2 wireless networks. I have 3 Cisco APs with each one having 2 SSIDs shared across all 3 Cisco APs. One SSID is for my network and one is for my guest network.

 

[magnusha]

So I have a question if the AC68U runs at layer 2 mode when in AP mode can he use it as a layer 2 switch and create multiple VLANs on the router in AP mode? If this is true then create 2 VLANs and trunk them to your Sophos UTM for Sophos to route. You will need to turn on VLAN trunk in Sophos NIC which probably is just turning on VLAN tagging. I don't know Sophos UTM.

Once you have the VLANs defined. Create 2 SSIDs and assign a VLAN to each. One is your guest network. I just realized you can not use the router method I described above unless you use 2 APs. You need to use VLANs to have one wireless device work with 2 wireless networks. I have 3 Cisco APs with each one having 2 SSIDs shared across all 3 Cisco APs. One SSID is for my network and one is for my guest network.

Thanks for good answers, coxhaus. Do I need to configure my AC68U in any way. If I create two VLANs, how do the AC68U knows which is guest network and which is internal network? What will happen if I connect devices via cable will they get internal or guest IP?

 

[coxhaus]

The way I have described this you are basically running 2 VLANs with one of them being called guest so they are the same VLANs with different names and IPs. The guest network on home routers is the router company just doing the work for you since a lot of people do not know how to setup VLANs properly. Security is going to be handled by Sophos. With Sophos handling the security using the ASUS in guest mode would not work any way. Guest mode routers are designed for a simple setup with just the guest router being the only router or firewall in the system, real basic stuff..

PS
If you already have a core switch which will do VLANs you can use it and connect the ASUS to a trunked port on the switch. The thing you are looking for is to flow 2 VLANs across your network to your Sophos UTM firewall router so Sophos can deal with the VLANs for security and routing.