AP Deployment with VLANs and Guest Network
If you have a complex network environment with security and policy requirements for wireless users, you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless security policies to each SSID on the Firebox, and to separate network traffic for each SSID on a dedicated VLAN.
With this deployment scenario, there are two primary methods you can use to physically connect your WatchGuard AP to the network:
- Connect the AP directly to the Firebox on a Trusted, Optional, or Custom network configured as a VLAN interface. You create VLANs on the Firebox for AP management, and for each wireless SSID.
- Connect the AP to a managed network switch configured with the VLAN information for the related SSIDs. You can also configure the same VLANs on the Firebox, so that you can use the VLANs in firewall policies for each SSID.
AP Deployment and Firebox Policies
Wireless users who connect to the SSID for a specific VLAN can access other resources on the same VLAN, but do not automatically have access to resources connected to other interfaces or VLANs in the same security zone, such as Trusted, Custom, or Optional. You must create additional Firebox policies if you want to allow traffic to other interfaces and VLANs.
Custom Interface and Guest Wireless Security
We recommend the Custom interface security zone for the guest wireless interface. By default Custom interfaces are not included in firewall policies, so this is a secure starting point to prevent guest wireless user connections to network resources on a Trusted or Optional network. You must specifically create policies for access for the Custom security zone, including outbound access and access to other interfaces and networks.
Required VLAN Types
To enable VLAN tagging in your AP SSIDs, there are two types of VLANs you must create:
- Tagged VLANs for SSIDs — The AP uses tagged VLANs to separate wireless traffic from each SSID. You must create a tagged VLAN for each SSID you configure in your wireless network.
- Untagged VLAN for AP management — The Gateway Wireless Controller on the Firebox discovers and manages all WatchGuard APs through a special management connection. You must create a separate, untagged VLAN to use for management connections to your APs. The AP management IP address cannot be an IP address on a tagged VLAN.
If you enable management communications VLAN tagging in the AP configuration, the Firebox can use a tagged VLAN for management connections to the AP. An untagged VLAN is still required for the initial connection to an AP that has not yet been paired.
You can choose from two different methods to set up VLANs based on where you connect the AP to your network:
- Connect the AP directly to a Firebox — To connect your AP directly to your Firebox, you must set up VLANs on the Firebox interface that the AP connects to.
- On your Firebox, create a VLAN for AP management and VLANs for all wireless SSIDs.
- Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP communication VLAN.
- Connect the AP to a managed switch — To connect your AP to a managed switch, you set up VLANs on the managed switch interfaces and on the Firebox interface that the switch connects to.
- On your Firebox, create a VLAN for AP management and VLANs for all wireless SSIDs.
- Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP communication VLAN.
- On the switch, configure the interfaces that connect to the Firebox and to the AP to send and receive tagged traffic for the VLANs for each of your SSIDs. Configure the same interfaces on the switch to send and receive untagged traffic for the AP management communications VLAN.
For more information about when and how to configure VLANs for use with WatchGuard APs, go to Configure VLANs for WatchGuard APs.
For more information about how to enable tagged and untagged VLANs on switch interfaces, see the documentation for your switch.
Create VLANs on Your Firebox
In this configuration example, we create three VLANs:
VLAN for trusted wireless access
- Description — Used for the primary trusted wireless network.
- VLAN ID — 10
- Interface type — Trusted
- IP address — 10.0.10.1/24
- DHCP range — 10.0.10.2 - 10.0.10.20
VLAN for wireless guest access
- Description — Used for the guest wireless network.
- VLAN ID — 20
- Interface type — Custom
- IP address — 10.0.20.1/24
- DHCP range — 10.0.20.2 - 10.0.20.20
We recommend the Custom interface security zone for the guest wireless interface because by default the Custom interface has no access policies and is a secure starting point to prevent guest wireless users from accessing a Trusted or Optional network.
Untagged VLAN for AP Management
- Description — Used for AP discovery and management by the Gateway Wireless Controller.
- VLAN ID — 30
- Interface type — Trusted
- IP address — 10.0.30.1/24
- DHCP range — 10.0.30.2 - 10.0.30.20
Create a VLAN for the Trusted Wireless SSID
- Select Network > VLAN.
- Click Add.
- In the Name text box, type a name for this VLAN.
For this example, type VLAN10. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the trusted wireless network. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 10. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the trusted wireless VLAN interface, Trusted. - In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this VLAN, type, 10.0.10.1/24. - On the Network tab, add a DHCP server.
- In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this VLAN, type 10.0.10.2 and 10.0.10.20. - Select VLAN tag settings for your VLAN interface. In this example, we tag the trusted wireless VLAN traffic.
- Click Save to save this VLAN configuration.
- Select Network > Configuration.
- Select the VLAN tab.
- Click Add.
- In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN10. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the trusted wireless network. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 10. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the trusted wireless VLAN interface, Trusted. - In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this VLAN, type, 10.0.10.1/24. - Select Use DHCP Server and click Add.
- In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this VLAN, type 10.0.10.2 and 10.0.10.20. - Click OK to save this VLAN configuration.
Create a VLAN for the Guest Wireless SSID
- Select Network > VLAN.
- Click Add.
- In the Name text box, type a name for this VLAN.
For this example, type VLAN20. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the guest wireless network. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 20. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the guest wireless VLAN interface, Custom. - In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this VLAN, type, 10.0.20.1/24. - On the Network tab, add a DHCP server.
- In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this VLAN, type 10.0.20.2 and 10.0.20.20. - Select VLAN tag settings for your VLAN interface. In this example, we tag the guest wireless VLAN traffic.
- Click Save to save this VLAN configuration.
- Select Network > Configuration.
- Select the VLAN tab.
- Click Add.
- In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN20. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the guest wireless network. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 20. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select Custom. We recommend the Custom zone because traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies to allow it. This is important for wireless guest network security to make sure guest users cannot access a trusted or optional network.
When you use the Custom security zone, you must specifically add the guest wireless network to your Outgoing policy to allow outbound access to guest wireless users.
- In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this example, type 10.0.20.1/24. - Select Use DHCP Server and click Add.
- In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this example, type 10.0.20.2 and 10.0.20.20. - Click OK to save the VLAN configuration.
Create a VLAN for AP Management
- Select Network > VLAN.
- Click Add.
- In the Name text box, type a name for this VLAN.
For this example, type VLAN30. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for AP management connections. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 30. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the AP communication VLAN interface, Trusted. - In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this VLAN, type, 10.0.30.1/24. - On the Network tab, add a DHCP server.
- In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this VLAN, type 10.0.30.2 and 10.0.30.20. - Select VLAN tag settings for your VLAN interface. In this example, we do not tag the AP communication VLAN traffic.
- Click Save to save this VLAN configuration.
When complete, the example VLAN settings looks like this:
- Select Network > Configuration.
- Select the VLAN tab.
- Click Add.
- In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN30. - In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for AP management connections. - In the VLAN ID text box, type a VLAN ID number.
For this example, type 30. - From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the AP communication VLAN interface, Trusted. - In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this example, type, 10.0.30.1/24. - Select Use DHCP Server and click Add.
- In the Starting IP and Ending IP text boxes, type the IP address for the DHCP range.
For this example, type 10.0.30.2 and 10.0.30.20. - Click OK to save the VLAN configuration.
When complete, the example VLAN settings looks like this:
Add VLANs to a Network Interface (Policy Manager)
If you use Policy Manager, you must add these VLANs to a network interface and select your tagging options.
- Select Network > Configuration.
- Select the Interfaces tab.
- Select the network interface to use for VLANs and click Configure.
The Interface Settings dialog box appears for the selected interface.
- In the Interface Name text box, type a name for this VLAN interface.
- In the Interface Description text box, type a description for this VLAN interface.
- From the Interface Type drop-down list, select VLAN.
- To receive tagged VLAN data on this network interface, select the Send and receive tagged traffic for selected VLANs check box.
- Select the Member check box for each tagged VLAN to include on this interface.
For this example, select VLAN10 and VLAN20.
Only the SSID VLANs are tagged. The AP communication VLAN must remain untagged. - To configure the interface to receive untagged data, select the Send and receive untagged traffic for selected VLAN check box.
To send and receive untagged data for the AP communication VLAN, you must select this option. - From the drop-down list, select the AP communication VLAN, VLAN30, as the untagged VLAN.
- Click OK.
- Save the configuration file to your Firebox.
Add SSIDs to the Gateway Wireless Controller
- Select Network > Gateway Wireless Controller.
- Select the Enable the Gateway Wireless Controller check box.
- On the SSIDs tab, click Add.
- In the Network Name (SSID) text box, type Trusted.
- Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged. - In the VLAN ID text box, type or select 10.
- In the Access Points tab, select the APs that you want to use this SSID.
- Select the Security tab.
- Configure your wireless encryption security settings for this SSID.
- Click Save to save the SSID configuration.
- On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
- In the Network Name (SSID) text box, type Guest.
- Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged. - In the VLAN ID text box, type or select 20.
- In the Access Points tab, select the APs that you want to use this SSID.
- Select the Security tab.
- Configure your wireless encryption security settings for this SSID.
- Click Save to save the SSID configuration.
- Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears, with the SSIDs tab selected. - Select the Enable the Gateway Wireless Controller check box.
- On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
- In the Network Name (SSID) text box, type Trusted.
- Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged. - In the VLAN ID text box, type or select 10.
- In the Access Points tab, move the APs that you want to use this SSID from the Available list to the Member list.
- Select the Security tab.
- Configure your wireless encryption security settings for this SSID.
- Click OK to save the SSID configuration.
The Gateway Wireless Controller dialog box appears, with the Trusted SSID in the SSID list. - On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
- In the Network Name (SSID) text box, type Guest.
- Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged. - In the VLAN ID text box, type or select 20.
- In the Access Points tab, move the APs that you want to use this SSID from the Available list to the Member list.
- Select the Security tab.
- Configure your wireless encryption security settings for this SSID.
- Click OK.
The Gateway Wireless Controller dialog box appears, with the Trusted and Guest SSIDs in the SSID list.
- Click OK to save the Gateway Wireless Controller configuration.
- Save the configuration file to your Firebox.
After you have configured the SSID, you can pair any additional APs with the Firebox, and assign this SSID to the radios on each AP.