AP Deployment with VLANs and Guest Network

If you have a complex network environment with security and policy requirements for wireless users, you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless security policies to each SSID on the Firebox, and to separate network traffic for each SSID on a dedicated VLAN.

With this deployment scenario, there are two primary methods you can use to physically connect your WatchGuard AP to the network:

  • Connect the AP directly to the Firebox on a Trusted, Optional, or Custom network configured as a VLAN interface. You create VLANs on the Firebox for AP management, and for each wireless SSID.

Network diagram of two AP devices connected to two Firebox interfaces

  • Connect the AP to a managed network switch configured with the VLAN information for the related SSIDs. You can also configure the same VLANs on the Firebox, so that you can use the VLANs in firewall policies for each SSID.

Network diagram of two AP devices connected to a switch connected to a Firebox

AP Deployment and Firebox Policies

Wireless users who connect to the SSID for a specific VLAN can access other resources on the same VLAN, but do not automatically have access to resources connected to other interfaces or VLANs in the same security zone, such as Trusted, Custom, or Optional. You must create additional Firebox policies if you want to allow traffic to other interfaces and VLANs.

Custom Interface and Guest Wireless Security

We recommend the Custom interface security zone for the guest wireless interface. By default Custom interfaces are not included in firewall policies, so this is a secure starting point to prevent guest wireless user connections to network resources on a Trusted or Optional network. You must specifically create policies for access for the Custom security zone, including outbound access and access to other interfaces and networks.

Required VLAN Types

To enable VLAN tagging in your AP SSIDs, there are two types of VLANs you must create:

  • Tagged VLANs for SSIDs — The AP uses tagged VLANs to separate wireless traffic from each SSID. You must create a tagged VLAN for each SSID you configure in your wireless network.
  • Untagged VLAN for AP management — The Gateway Wireless Controller on the Firebox discovers and manages all WatchGuard APs through a special management connection. You must create a separate, untagged VLAN to use for management connections to your APs. The AP management IP address cannot be an IP address on a tagged VLAN.

If you enable management communications VLAN tagging in the AP configuration, the Firebox can use a tagged VLAN for management connections to the AP. An untagged VLAN is still required for the initial connection to an AP that has not yet been paired.

You can choose from two different methods to set up VLANs based on where you connect the AP to your network:

  • Connect the AP directly to a Firebox — To connect your AP directly to your Firebox, you must set up VLANs on the Firebox interface that the AP connects to.
    1. On your Firebox, create a VLAN for AP management and VLANs for all wireless SSIDs.
    2. Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP communication VLAN.
  • Connect the AP to a managed switch — To connect your AP to a managed switch, you set up VLANs on the managed switch interfaces and on the Firebox interface that the switch connects to.
    1. On your Firebox, create a VLAN for AP management and VLANs for all wireless SSIDs.
    2. Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP communication VLAN.
    3. On the switch, configure the interfaces that connect to the Firebox and to the AP to send and receive tagged traffic for the VLANs for each of your SSIDs. Configure the same interfaces on the switch to send and receive untagged traffic for the AP management communications VLAN.

For more information about when and how to configure VLANs for use with WatchGuard APs, go to Configure VLANs for WatchGuard APs.

For more information about how to enable tagged and untagged VLANs on switch interfaces, see the documentation for your switch.

Create VLANs on Your Firebox

In this configuration example, we create three VLANs:

VLAN for trusted wireless access

  • Description — Used for the primary trusted wireless network.
  • VLAN ID — 10
  • Interface type — Trusted
  • IP address — 10.0.10.1/24
  • DHCP range — 10.0.10.2 - 10.0.10.20

VLAN for wireless guest access

  • Description — Used for the guest wireless network.
  • VLAN ID — 20
  • Interface type — Custom
  • IP address — 10.0.20.1/24
  • DHCP range — 10.0.20.2 - 10.0.20.20

We recommend the Custom interface security zone for the guest wireless interface because by default the Custom interface has no access policies and is a secure starting point to prevent guest wireless users from accessing a Trusted or Optional network.

Untagged VLAN for AP Management

  • Description — Used for AP discovery and management by the Gateway Wireless Controller.
  • VLAN ID — 30
  • Interface type — Trusted
  • IP address — 10.0.30.1/24
  • DHCP range — 10.0.30.2 - 10.0.30.20

Create a VLAN for the Trusted Wireless SSID

Create a VLAN for the Guest Wireless SSID

Create a VLAN for AP Management

Add VLANs to a Network Interface (Policy Manager)

If you use Policy Manager, you must add these VLANs to a network interface and select your tagging options.

Add SSIDs to the Gateway Wireless Controller

After you have configured the SSID, you can pair any additional APs with the Firebox, and assign this SSID to the radios on each AP.

Related Topics

About AP Configuration

Configure APs with the Gateway Wireless Controller