I setup a remote office with a Sophos XG firewall and Meraki MR45 AP. The Meraki AP has a POE injector and is plugged directly into the Sophos.
We have two SSIDs broadcasted, one Corp WLAN via RADIUS server and a guest/mobile WLAN. Users who connect to the Corp WLAN get an IP in the correct range and can pass traffic and connect to the domain controllers and corp network just fine. There is VLAN tagging on the Corp WLAN.
However, when users connect to the guest/mobile WLAN, they get the correct IP from the IP range but they are unable to pass traffic. The VLAN is tagged correctly. The Sophos acts as the DHCP server, and the DNS it serves is set to 18.104.22.168 and 22.214.171.124. When I check the Sophos firewall, I see the firewall allowing traffic. When I check the logs I see DNS failures for that SSID. However, I'm not sure if this is actually an DNS issue as I had the remote user try to access websites by IP address and it fails.
I don't have this problem at any of our other sites and the SSID for the mobile/guest network is templated from our other site. One piece that is different at this site is there is no Meraki switch which is probably not the issue.
Also, if I disable VLAN tagging for the mobile/guest SSID, it puts it on the default VLAN (as it should) and is able to connect and pass traffic. This obviously isn't what I want since it's on the corporate network. Any ideas how to troubleshoot?