Setting up an "internet-only" WiFi AP on a physical interface/port.
Frank_P
Newbie ✭
We have a TZ350, without the built-in wireless option. I wanted to provide internet access via Wi-Fi for customers, but wanted to make sure that customers cannot access devices LAN. I figured that the best way to do this was to connect the AP to the X2 port (which I was not using for anything else.) I then planned to configure the X2 port to only have access to X1 (WAN), and no devices on the X0 interface (the LAN that all other "employee only" devices are connected to.) After going through the steps from several guides and videos I found online, I could not get this to work for some reason. Most of these videos suggested that a new virtual interface/VLAN be created for the wireless users. Eventually, I created a new Zone for wireless users, and unchecked the boxes to copy access rules. I assigned the zone to X2. I also assigned a static IP address to X2, along with a dynamic DHCP pool for X2. I then created a new rule that grants X2 access to the WAN interface (X1). I _did not_ create a new virtual interface/VLAN, as this appeared to be unnecessary. This seems to be working. A laptop connected to the WiFi AP can access the internet, but cannot “see” or ping anything on X0. I included pictures to clarify what I did. The wireless devices also appear to be obtaining DHCP leases from the pool that's assigned to X2.
Does anyone see any potential problems with this setup? Will this configuration provide suitable security to prevent wireless uses from gaining access to the X0 LAN?
This is the first time I have tried to configure a complex router. Constructive input and advice are therefore
Best Answers
-
OptionsCORRECT ANSWER
Twizz728
Newbie ✭
@Frank_P
This is how I have mine setup. I have my internal secure LAN on X0, WAN X1, Guest WiFi using the WiFi zone assignment on X6. I just ensure that there are no rules allowing X6 to X0, but I did have to create a rule to allow connections from my X6 guest interface to a specific IP on the X0 interface for a copier shared by the entire building. I've not ran into any security issues with this setup.0 -
OptionsCORRECT ANSWERArkwright
All-Knowing Sage ✭✭✭✭
I think that zone security type "public" will by default not create rules from this new zone to LAN. So long as you haven't manually added a 'Wireless AP, Internet Only' -> 'LAN' allow rule, you should be good.
0
Answers
Does anyone see any potential problems with this setup?
Once your non-customer users ask for wireless how will you provide it?
Will this configuration provide suitable security to prevent wireless uses from gaining access to the X0 LAN?
What are your 'Wireless AP, Internet Only' to 'LAN' access rules? Or any other sensitive zone?
I get why you named your new zone 'Wireless AP, Internet Only', but thats more of a description than a name. Try something like 'GUEST'.
Thank you, everyone, for your advice!
Hello there,
I tried to manage to do the same, but I couldn't success.
My Sonicwall is a Soho without Wireless option. I tried to connect a physical AP to X4 (X4 was not in use at all) and followed the guidence above but, there is no internet connection for the clients of the AP.
The access point's DHCP is active and it's static IP is the same as I defined in the Interfaces section of Sonicwall.
What could be the wrong with this setup?
What could be the wrong with this setup?
Giving the AP the same IP as the firewall will prevent anyone from getting out to the internet.