2 Replies Latest reply on Apr 18, 2014 4:47 AM by coriumintl

    Wireless Segregation without a firewall

    coriumintl New Member

      I'm needing to setup a public SSID that will segregated from my internal LAN.


      Equipment wise we have a Netvanta 1544 as our core switch for Vlan routing, a couple of Netvanta 1534's as our building l3 switches and mostly AP 150s, but a single AP 160.


      Do I have all the pieces to this puzzle?

        • Re: Wireless Segregation without a firewall
          cj! Beta_User

          Hi coriumintl:


          Your NV150/160 APs will need to have an SSID "tied" to a particular VLAN for guest access.  The APs must connect to 802.1Q VLAN trunk ports on your 15XX switches which must have the new VLAN configured.  The 15XX switches have no firewall capability, so I think it would be best to extend your Guest VLAN to your firewall.  This can be done via an 802.1Q VLAN-encapsulated Ethernet link to your firewall or else from a separate interface, depending on the firewall and its capabilities--it's difficult to give advice about this without more information here.  The firewall would need to allow Internet traffic to NAT out, but not allow traffic to/from your existing private/trusted/company security zone.


          It's important to create the new VLAN in your 15XX switches but not create VLAN interfaces (with IP addresses).  Just leave the Layer 2 VLAN in place to pass the segregated Guest traffic to the firewall.  See this for more details about VLANs vs. VLAN interfaces:  The difference between VLANs and VLAN interfaces




            • Re: Wireless Segregation without a firewall
              coriumintl New Member

              Yeah, today I'm investigating what our WatchGuard XTM can provide for us. I figured after posting that I'd have to rely on our Firewall and do a VLAN without a VLAN interface.


              I hope the WatchGuard can stand in as the DHCP server or we're going to be proping up a stand alone DHCP server. Can't use the DHCP server from the 15xx's because we use UDP relay to a window's DHCP server.


              Thanks for confirming that I can't do it all with the switches I have.