TECH.ROOM

   Home | HostCheetah.net | ParagonHost.net | LiquidLayer.net | RamNode | News | Products | Blog | Video | Crawler.Search | Helpdesk

Watchguard VLAN with Wireless Client Isolation Q&A


#1

Question:

I am configuring a new network for a local organization. I’ll try to briefly describe what we need to accomplish, so I need to make sure I know exactly what equipment we need to recommend.

First, I am looking at the Firebox M370 for the router/firewall. We will need at least 6 and possibly up to 8 separate networks to isolate various offices from each other, yet still offering the capability for the different offices to print to a common printer that will be connected on the Network 2 (Public Commons). All networks will share the same Internet connection.

• Network 1 – Econ Dev Offices
• Network 2 – Public Commons
o Special note: Most hard-wired devices on this network should be isolated from each other, but all should have access to the common printer.
• Network 3 – Office 1
• Network 4 – Office 2
• Network 5 – Office 3
• Network 6 – Office 4

Additionally, all offices need to be able to have their own Wifi Network that is tied to their own hard-wired network (for example, SSID 1 should tie to Network 1, SSID 2 – should tie to Network 2). This will allow them to access the files on their network’s devices and print to the hard-wired printers within their network.

However, the Wifi ALSO must have these capabilities:
• The Public Wifi must be able to isolate each device from another – EXCEPT that all wifi connected devices on this network CAN access a common hard-wired printer and connect to two different Smart TVs as needed.
• All other Wifi networks must be able to connect to the common printer, which will be connected to the physical Network 2 (Public Commons) by ethernet.

It appears the Watchguard APs allow for up to 8 SSIDs, but do the APs allow for the needs as specified above? If not, what equipment would be necessary to accomplish these objectives?


Answer:

All of this is VLAN topology, the Watchguard will support VLAN Tagging which comes from your switching architecture, not the Watchguard as you may already know. (Along with dedicated policy for that VLAN Tag)

The printer port within your switch programming would be configured to accept traffic from the VLAN’s you wish to give access to.

You may enable VLAN Tagging in SSID’s which reference you note on AP configuration – see this doc
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/wireless/ap_vlan_about_c.html

But the VLAN would be setup within your switching fabric for which Watchguard can manage VLAN tagging and Virtual VLAN interfaces for where you can apply policy’s.

The above document will reference much of basic theory along with some screen shots.

Client Isolation (as you asked about) is supported by the Watchguard AP/Controller noted within this Tech Document:
http://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/wireless/ap_station_isolation_c.html

Your installation I can see will need a bit of expertise in VLAN configuration along with Watchguard experience. You will however be provided with support direct from Watchguard for something that may not be working as anticipated within the traditional break fix support, but it is not Pro Services.

Liquid Layer Networks

Powered by:

HostCheetah Networks
Global Web Hosting, Domain Registration and Internet Services
http://hostcheetah.net | http://hostcheetah.uk