cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
coriumintl
New Contributor III

Wireless Segregation without a firewall

Jump to solution

I'm needing to setup a public SSID that will segregated from my internal LAN.

Equipment wise we have a Netvanta 1544 as our core switch for Vlan routing, a couple of Netvanta 1534's as our building l3 switches and mostly AP 150s, but a single AP 160.

Do I have all the pieces to this puzzle?

0 Kudos
1 Solution

Accepted Solutions
cj_
Valued Contributor
Valued Contributor

Re: Wireless Segregation without a firewall

Jump to solution

Hi coriumintl:

Your NV150/160 APs will need to have an SSID "tied" to a particular VLAN for guest access.  The APs must connect to 802.1Q VLAN trunk ports on your 15XX switches which must have the new VLAN configured.  The 15XX switches have no firewall capability, so I think it would be best to extend your Guest VLAN to your firewall.  This can be done via an 802.1Q VLAN-encapsulated Ethernet link to your firewall or else from a separate interface, depending on the firewall and its capabilities--it's difficult to give advice about this without more information here.  The firewall would need to allow Internet traffic to NAT out, but not allow traffic to/from your existing private/trusted/company security zone.

It's important to create the new VLAN in your 15XX switches but not create VLAN interfaces (with IP addresses).  Just leave the Layer 2 VLAN in place to pass the segregated Guest traffic to the firewall.  See this for more details about VLANs vs. VLAN interfaces: 

Best,

CJ

View solution in original post

0 Kudos
2 Replies
cj_
Valued Contributor
Valued Contributor

Re: Wireless Segregation without a firewall

Jump to solution

Hi coriumintl:

Your NV150/160 APs will need to have an SSID "tied" to a particular VLAN for guest access.  The APs must connect to 802.1Q VLAN trunk ports on your 15XX switches which must have the new VLAN configured.  The 15XX switches have no firewall capability, so I think it would be best to extend your Guest VLAN to your firewall.  This can be done via an 802.1Q VLAN-encapsulated Ethernet link to your firewall or else from a separate interface, depending on the firewall and its capabilities--it's difficult to give advice about this without more information here.  The firewall would need to allow Internet traffic to NAT out, but not allow traffic to/from your existing private/trusted/company security zone.

It's important to create the new VLAN in your 15XX switches but not create VLAN interfaces (with IP addresses).  Just leave the Layer 2 VLAN in place to pass the segregated Guest traffic to the firewall.  See this for more details about VLANs vs. VLAN interfaces: 

Best,

CJ

0 Kudos
coriumintl
New Contributor III

Re: Wireless Segregation without a firewall

Jump to solution

Yeah, today I'm investigating what our WatchGuard XTM can provide for us. I figured after posting that I'd have to rely on our Firewall and do a VLAN without a VLAN interface.

I hope the WatchGuard can stand in as the DHCP server or we're going to be proping up a stand alone DHCP server. Can't use the DHCP server from the 15xx's because we use UDP relay to a window's DHCP server.

Thanks for confirming that I can't do it all with the switches I have.