Wireless Device Configuration Options
The features available in WatchGuard System Manager (WSM) can be different for different versions of Fireware. If your Firebox does not run Fireware OS v11.10.x or higher, the content in this Help topic might not apply to your Firebox.
For instructions to complete the procedures in this topic for a Firebox that runs an older version of Fireware, see:
Wireless Device Configuration Options in WatchGuard System Manager v11.9.x Help
Any wireless Firebox can be configured as a wireless access point with more than one different security zone. You can enable wireless clients to connect to the wireless Firebox as part of the trusted or optional network. You can also use a custom network to enable a wireless guest services network for your Firebox, or use bridge or VLAN networks in your wireless configuration.
Before you enable the wireless Firebox as a wireless access point, you must look carefully at the wireless users who connect to the device, and then determine the level of access for each type of user.
Wireless Connection Options
You can select from these options for wireless access:
When you configure a wireless interface with the interface type of Trusted, all existing policies in your configuration that allow traffic to or from the Any-Trusted alias also allow traffic to or from wireless clients that connect to the trusted wireless interface. Wireless users will have full Internet access based on the rules you configure for outgoing access on your Firebox.
If you want your wireless users to be on the same network as your wired trusted network, you must use a network bridge between the trusted wireless interface and trusted wired interface.
For detailed instructions, see the Bridge a Firebox wireless interface to the trusted interface article in the knowledge base.
For more information on how to create a network bridge, see Create a Network Bridge Configuration.
When you configure a wireless interface with the interface type of Optional, all existing policies in your configuration that allow traffic to or from the Any-Optional alias also allows traffic to or from wireless clients that connect to the optional wireless interface. Wireless users will have full Internet access based on the rules you configure for outgoing access on your Firebox.
If you want your wireless users to be on the same network as your wired optional network, you must use a network bridge between the wireless interface and the optional wired interface. For more information, see Create a Network Bridge Configuration.
This option enables you to bridge wireless traffic to a trusted or optional network. When you select this option, you cannot filter traffic between the wireless users and the bridge network. When you bridge the wireless network, the wireless users are in the same security zone as other users on the bridge network, and the traffic for these mobile users is handled by the same security policies as traffic for other users on the bridged network. For example, if you bridge the wireless network to a trusted interface, all policies that allow traffic for the trusted interface allow traffic for the users who connect to the wireless network.
In Fireware v11.9 and higher, you can bridge the wireless network only to a LAN bridge. For more information, see Create a Network Bridge Configuration.
For detailed instructions on how to bridge a wireless interface to the trusted interface, see the Bridge a Firebox wireless interface to the trusted interface article in the knowledge base.
You can configure the wireless network as a VLAN interface to connect wireless clients to a configured VLAN within your network. Because most wireless clients are not VLAN-capable, you can configure the VLAN as untagged.
If you do not configure an untagged VLAN for this interface, clients which are not configured to use a selected VLAN will be unable to use this wireless network. Users will be able to connect to the SSID, but will not be able to send or receive data.
To learn more about VLAN tagging, see About Virtual Local Area Networks (VLANs).
Computers that connect to the custom network connect through the wireless Firebox to the Internet based on the rules you configure for outgoing access on your Firebox. The custom zone is not part of any default policies. You can use the wireless interface alias in policies that you configure for traffic from wireless clients so they cannot access trusted or optional networks.
For more information, see Enable a Wireless Guest Network.
Before you set up wireless network access, see Before You Begin.
To allow wireless connections on an interface, see Enable Wireless Connections.