Sophos – P7 How to Configure VLAN with UniFi on Sophos Firewall (Step-by-Step)

Proper VLAN deployment is essential for secure and scalable network segmentation.
In this guide, you’ll learn how to Configure VLAN Sophos and integrate it correctly with a UniFi access point.

This step-by-step tutorial covers:

• VLAN interface creation

• Zone configuration

• DHCP setup

• Firewall rule creation

• UniFi network tagging

• Guest Wi-Fi assignment

This setup is commonly used in:

• Small to medium-sized businesses

• Cafes and coworking spaces

• Enterprise branch offices

• IT lab environments

A properly designed VLAN architecture improves:

🔐 Security
📊 Traffic control
🌐 Internet access management
🏢 Department isolation
📶 Guest network separation

Follow this demo to build a clean and scalable VLAN structure.

🔎 Requirement

Divide the network into VLANs for:

• Guests

• Specific departments

• Controlling Internet access

• Restricting SMB access

• Internal resource segmentation

🧪 Lab Topology

In this demo:

AP → Switch → Sophos Firewall

The AP is connected to a switch.
The switch is connected to the Sophos firewall.

A regular switch will work.
This model is suitable for small to medium-sized companies and cafes.

1️⃣ Configuration on the Firewall (Sophos)

We begin with the firewall configuration.

Step 1: Create a Zone

Before creating the VLAN interface, define a dedicated zone.

This improves rule control and policy management.

Create a new zone:

Example:
GUEST

This zone will later be assigned to the VLAN interface.

Using zones is a best practice when you Configure VLAN Sophos in production environments.

Step 2: Add Interface-VLAN

Example: Using VLAN 10 (192.168.10.0/24)

Go to:

Configure → Network

Add a new VLAN interface.

Key configuration:

• Parent interface (connected to switch)

• VLAN ID: 10

• IP address: 192.168.10.1/24

• Zone: GUEST (created above)

Make sure tagging is properly configured.

This step enables logical segmentation over the same physical interface.

Step 3: Enable DHCP

Enable DHCP for VLAN 10.

Configure DHCP range within:

192.168.10.0/24

Example range:

192.168.10.100 – 192.168.10.200

This ensures devices connecting to the VLAN receive IP addresses automatically.

Without DHCP, clients in VLAN 10 will not communicate properly.

Step 4: Create a Rule for the VLAN to Use the Internet

Create a firewall rule:

Source Zone: GUEST
Destination Zone: WAN
Services: Any
Action: Allow

This allows internet access for VLAN 10 users.

If needed, you can restrict:

• SMB access

• LAN access

• Internal servers

This is where segmentation becomes powerful.

When you Configure VLAN Sophos properly, policy enforcement becomes very clean and manageable.

2️⃣ Configuration on the AP (UniFi)

Now we configure the UniFi AP.

Step 1: Create a Guest Network

Inside UniFi Controller:

Create a new Network.

Configure:

• VLAN ID: 10

• Purpose: Corporate or VLAN-only

• Gateway/Subnet handled by Sophos

The key here is VLAN tagging must match:

VLAN 10 on Sophos
VLAN 10 on UniFi

A mismatch will cause connectivity failure.

Step 2: Create a Guest Wi-Fi Network

Create a new Wi-Fi SSID.

Example:

SSID: Guest-WiFi

Assign it to:

Guest Network (VLAN 10)

This ensures traffic from that SSID is tagged with VLAN 10.

Step 3: Assign the Guest Network to the Guest Wi-Fi Network

Map:

Guest Wi-Fi → Guest Network (VLAN 10)

Once applied:

Devices connecting to Guest-WiFi
Will receive IP from 192.168.10.0/24
Will follow firewall rules under GUEST zone

This completes VLAN segmentation between Sophos and UniFi.

✅ Verification

After configuration:

1. Connect to Guest Wi-Fi

2. Check assigned IP

Expected:

192.168.10.x

3. Test internet access

4. Confirm no access to LAN (if blocked)

This confirms successful VLAN isolation.

⚠️ Common Mistakes When Integrating Sophos with UniFi

❌ VLAN ID mismatch
❌ Wrong zone assignment
❌ Missing firewall rule
❌ DHCP not enabled
❌ Untagged switch port
❌ Incorrect trunk configuration

Always verify switch port mode:

• Trunk (if multiple VLANs)

• Access (if single VLAN)

Improper tagging is the most common issue when deploying VLANs.

🏗 Why Proper VLAN Design Matters

When you Configure VLAN Sophos correctly:

✔ Traffic is segmented
✔ Broadcast domains are reduced
✔ Security policies are cleaner
✔ Guest access is isolated
✔ Network becomes scalable

This architecture supports:

• Additional VLANs for HR

• VLAN for CCTV

• VLAN for VoIP

• VLAN for Servers

You can scale without redesigning the network.

🔐 Best Practices

• Use separate zones for each VLAN

• Avoid allowing VLAN-to-LAN unless required

• Use meaningful VLAN IDs

• Document your topology

• Test before production deployment

Network segmentation is not optional in modern environments.

🎯 Conclusion

In this guide, you successfully learned how to:

• Create a zone on Sophos

• Add a VLAN interface (VLAN 10 – 192.168.10.0/24)

• Enable DHCP

• Create internet access rule

• Configure UniFi guest network

• Assign VLAN to Wi-Fi

You now understand how to Configure VLAN Sophos and integrate it with UniFi access points properly.

This setup provides:

🔒 Stronger security
📶 Clean Wi-Fi segmentation
🌍 Controlled internet access
📈 Scalable architecture

In the next tutorial, you can expand this design by:

• Adding inter-VLAN routing policies

• Applying bandwidth control

• Implementing VLAN-based content filtering

• Deploying multiple SSIDs for departments

A clean VLAN design is the foundation of a professional network — and now you’ve built one. 🚀