Extreme Networks

thothome · ‎02-12-2026

Hi

I have setup guest vlan for sophos firewall and rolling out through out the extreme network. Core switch is X670G2-48x-4q. I want the core to just pass the traffic to the internet. currently the traffic for guest vlan can see my LAN which i dont want it that way. I have set the rules on the firewall but nothing is happening.

when i enable ipforwarding to guest, it starts to see the other vlans, when i disable the internet becomes intermittent. i have core as a gateway for LAN vlans, while sophos is a gateway for guest vlan.

how do i block guest vlan to see or ping internal Vlans or lan.

thank you.

Timothy_Corcora · ‎02-13-2026

Good Morning Thothome,

On the 670G2 you can create a separate guest virtual-router. In that new virtual router create the guest VLAN. The traffic from your existing VR and the Guest VR will be invisible to each other. Create a p2p link between with a /30 address between the 670 Guest VR and a new Guest sub interface on the FW. Put a static route in the Guest VR pushing all traffic to the firewall. Give the FW side of the p2p link a static NAT using one of your public IP addresses

The guest VLAN can use the 670 as its gateway. In the guest VR have a default route that points through the FW to the internet

Bill_Handler · ‎02-13-2026

thothome,

If the sophos is the gateway for the guest network, set an interface IP on the sophos and use that as the gateway for the VLAN - take the IP address off the X670 VLAN for guest and just pass it to the sophos on an untagged VLAN. That would be the quick way...

You can also add a Policy so that the guest IP range cannot talk to the other IP ranges you have in the network.

Thanks,

Bill

thothome · ‎02-12-2026

I am using IP6 840 access points for guest SSID.

Sophos fw- extreme X670G2-48x-4q core - extreme x440G2 access - sophos AP6 840

Extreme Networks

Guest vlan with sophos as a gateway

Guest vlan with sophos as a gateway