AP Device Deployment with VLANs and Guest Network

If you have a complex network environment with security and policy requirements for wireless users, you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless security policies to each SSID on the Firebox, and to separate network traffic for each SSID on a dedicated VLAN.

With this deployment scenario, there are two primary methods you can use to physically connect your WatchGuard AP device to the network:

  • Connect the AP device directly to the Firebox on a Trusted, Optional, or Custom network configured as a VLAN interface. You create VLANs on the Firebox for AP device management, and for each wireless SSID.

Network diagram of two AP devices connected to two XTM device interfaces

  • Connect the AP device to a managed network switch configured with the VLAN information for the related SSIDs. You can also configure the same VLANs on the Firebox, so that you can use the VLANs in firewall policies for each SSID.

Network diagram of two AP devices connected to a switch connected to an XTM device

AP Deployment and Firebox Policies

Wireless users who connect to the SSID for a specific VLAN can access other resources on the same VLAN, but do not automatically have access to resources connected to other interfaces or VLANs in the same security zone, such as Trusted, Custom, or Optional. You must create additional Firebox policies if you want to allow traffic to other interfaces and VLANs.

Custom Interface and Guest Wireless Security

We recommend the Custom interface security zone for the guest wireless interface because by default the Custom interface has no access policies and is a secure starting point to prevent guest wireless users from accessing a Trusted or Optional network. You must specifically create policies for access for the Custom security zone, including outbound access and access to other interfaces and networks.

Required VLAN Types

To enable VLAN tagging in your AP device SSIDs, there are two types of VLANs you must create:

  • Tagged VLANs for SSIDs — The AP device uses tagged VLANs to separate wireless traffic from each SSID. You must create a tagged VLAN for each SSID you configure in your wireless network.
  • Untagged VLAN for AP device management — The Gateway Wireless Controller on the Firebox discovers and manages all WatchGuard AP devices through a special management connection. You must create a separate, untagged VLAN to use for management connections to your AP devices. The AP device management IP address cannot be an IP address on a tagged VLAN.

If you enable management VLAN tagging in the AP device configuration, the Firebox can use a tagged VLAN for management connections to the AP device. An untagged VLAN is still required for the initial connection to an AP device that has not yet been paired.

You can choose from two different methods to set up VLANs based on where you connect the AP device to your network:

  • Connect the AP device directly to a Firebox — To connect your AP device directly to your Firebox, you must set up VLANs on the Firebox interface that the AP device connects to.
    1. On your Firebox, create a VLAN for AP device management and VLANs for all wireless SSIDs.
    2. Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP device management VLAN.
  • Connect the AP device to a managed switch — To connect your AP device to a managed switch, you set up VLANs on the managed switch interfaces and on the Firebox interface that the switch connects to.
    1. On your Firebox, create a VLAN for AP device management and VLANs for all wireless SSIDs.
    2. Configure the Firebox interface to send and receive tagged traffic for the VLANs for each of your SSIDs, and to send and receive untagged traffic for the AP device management VLAN.
    3. On the switch, configure the interfaces that connect to the Firebox and to the AP device to send and receive tagged traffic for the VLANs for each of your SSIDs. Configure the same interfaces on the switch to send and receive untagged traffic for the AP device management VLAN.

For more information about when and how to configure VLANs for use with WatchGuard AP devices, see Configure VLANs for WatchGuard AP Devices.

For more information about how to enable tagged and untagged VLANs on switch interfaces, see the documentation for your switch.

Create VLANs on Your Firebox

In this configuration example, we create three VLANs:

VLAN for trusted wireless access

  • Description — Used for the primary trusted wireless network.
  • VLAN ID — 10
  • Interface type — Trusted
  • IP address — 10.0.10.1/24
  • DHCP range — 10.0.10.2 - 10.0.10.20

VLAN for wireless guest access

  • Description — Used for the guest wireless network.
  • VLAN ID — 20
  • Interface type — Custom
  • IP address — 10.0.20.1/24
  • DHCP range — 10.0.20.2 - 10.0.20.20

We recommend the Custom interface security zone for the guest wireless interface because by default the Custom interface has no access policies and is a secure starting point to prevent guest wireless users from accessing a Trusted or Optional network.

Untagged VLAN for AP Device Management

  • Description — Used for AP device discovery and management by the Gateway Wireless Controller.
  • VLAN ID — 30
  • Interface type — Trusted
  • IP address — 10.0.30.1/24
  • DHCP range — 10.0.30.2 - 10.0.30.20

Create a VLAN for the Trusted Wireless SSID

Create a VLAN for the Guest Wireless SSID

Create a VLAN for AP Device Management

Add VLANs to a Network Interface (Policy Manager)

If you use Policy Manager, you must add these VLANs to a network interface and select your tagging options.

Add SSIDs to the Gateway Wireless Controller

After you have configured the SSID, you can pair any additional AP devices with the Firebox, and assign this SSID to the radios on each AP device.

See Also

About AP Device Configuration

Configure AP Devices in the Gateway Wireless Controller

Give Us Feedback     Get Support     All Product Documentation     Technical Search