Configure VLANs for WatchGuard APs
You can use VLANs and VLAN tagging for SSIDs on your WatchGuard APs. For general information on VLANs and the WatchGuard Firebox, see About Virtual Local Area Networks (VLANs).
If you enable VLAN tagging for SSIDs on a WatchGuard AP, or you enable management communications VLAN tagging for an AP, you must also enable VLANs on the network that the AP connects to. By default, management communications traffic to the AP is untagged, so we recommend that you add an untagged VLAN for management traffic, as described here. If you prefer to use a tagged VLAN for management traffic, make sure that you configure the AP to tag management traffic, and set the communication VLAN ID in the Access Point configuration to the VLAN you want to use for management traffic.
The tagged management communications VLAN is used only after the AP is paired to the Gateway Wireless Controller on a Firebox. An unpaired AP cannot respond to tagged VLAN traffic.
When to Enable VLAN Tagging in SSIDs
There are a couple of reasons you might want to enable VLAN tagging on your AP SSIDs:
To configure different firewall policies for SSIDs that connect to the same network
If you configure multiple SSIDs for your APs and you want to set different firewall policies for each SSID, you can enable VLAN tagging in the SSID and then use the VLAN ID associated with each SSID in policies specific to each SSID. For example, you could add a different HTTP packet filter policy for each SSID that specifies the VLAN associated with that SSID.
To separate the traffic on the same physical network to different logical networks
If you have several APs connected to the same physical network, VLAN tagging gives you the ability to separately examine traffic for the wireless clients connected to each SSID. For example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the VLAN ID associated with an SSID.
Or, you can set up all of your APs with one SSID for the trusted network and a different SSID for a custom/optional network. You can set up a trusted VLAN and an optional or custom VLAN to separate the traffic for the wireless clients that connect to the trusted and optional/custom networks. A custom network is more secure than the optional network because you do not want untrusted wireless clients to have access to your optional networks if there are trusted resources on that network.
Configure VLANs on the Firebox
To enable VLAN tagging in your AP SSIDs, you must configure VLANs on the Firebox interface where you plan to connect your APs.
For the Firebox interface where you plan to connect your AP, set the Interface Type to VLAN. Then, configure the VLANs to use for the AP.
- Configure the VLANs that each SSID uses to send tagged traffic to the VLAN interface.
- Configure a VLAN that the AP management connection uses to send untagged traffic to the VLAN interface.
- Enable DHCP server or DHCP relay on each VLAN.
- The AP gets an IP address from the DHCP server on the VLAN used for management communications.
- Wireless clients that connect to an SSID get an IP address from the DHCP server on the VLAN for that SSID.
If you configure an AP that exists on multiple VLANs, the AP will request a DHCP IP address on each VLAN.
For example, if you want to create two SSIDs that use VLAN tags, you can create three VLANs with the VLAN IDs 10, 20, and 30.
- VLAN ID 10, in the Trusted zone — For the SSID for wireless connections to the trusted network
- VLAN ID 20, in a Custom or Optional zone — For the SSID for wireless guest access to the Internet. A Custom zone is more secure.
- VLAN ID 30, in the Trusted zone — For management communications to the AP
For information about how to create a VLAN, see Define a New VLAN.
After you create the VLANs, you configure the Firebox interface that your APs connect to as a VLAN interface.
To configure the interface the APs connect to, from Policy Manager:
- Edit the interface your APs connect to.
- From the Interface Type drop-down list, select VLAN.
- Configure the interface to send and receive tagged traffic for each of the VLANs for your SSIDs.
- Configure the interface to send and receive untagged traffic for the VLAN for management communications to the AP.
For more information about how to configure the VLAN interface, see Assign Interfaces to a VLAN.
Change a Trusted or Optional Interface to a VLAN Interface
In some cases, you may want to change your primary Trusted or Optional wired network interface to a VLAN interface to accommodate your wireless VLAN configuration.
For example, you may have originally configured your wireless APs so that they are on a Trusted wireless interface that is on a different subnet than your Trusted wired network interface. This means that your wireless clients cannot connect to devices such as servers or printers on your Trusted wired LAN.
You can change your Trusted or Optional wired network interface to a VLAN, and then assign the VLAN as untagged to the existing wired network and then on your wireless VLAN interface, assign that same VLAN as a tagged VLAN. A VLAN capable switch is required or the wireless access points must be connected directly into the Firebox.
We recommend that you use Policy Manager to perform this task. The Fireware Web UI requires a management connection to your trusted interface that needs to be temporarily disabled during the procedure.
To change your Trusted or Optional interface to a VLAN interface in Policy Manager:
- Connect to the Firebox device with WatchGuard System Manager.
- Open Policy Manager.
- Go to Network > Configuration and configure the Trusted or Optional interface you want to change to a VLAN.
- Copy down all of the settings for this interface, including IP address, DHCP settings, and the settings in the IPv6, Secondary, MAC Access Control, and Advanced tabs.
- From the Interface Type drop-down list, select VLAN, then click OK.
- Click the Send and received tagged traffic for selected VLANs check box.
- Click New VLAN.
- Configure the new VLAN interface profile identically to how the Trusted interface was configured with the same IP address and other settings as noted in step 4.
- Type a Name or Alias for the new VLAN.
- (Optional) In the Description text box, type a description of the bridge.
- From the Security Zone list, select Trusted.
- Type the IP address in slash notation for the VLAN to use. Make sure the settings are identical to the how the Trusted or Optional interface was configured.
- Configure the DHCP settings for IP address distribution for the VLAN.
- Click OK to save the VLAN interface configuration.
- (Optional). If you plan on using tagged VLANs on this interface, select the Member check box for the wireless VLANs and any other VLANs you want to use on this interface.
If you do not have any tagged VLANs, you can skip this step.
- Click OK to save the interface configuration.
Configure VLANs on a Managed Switch
If you enable VLAN tagging and want to connect your AP to a managed switch, you must also configure VLANs on the switch. The switch must support 802.1Q VLAN tagging.
On the switch, you must:
- Add VLANs with the same IDs as the VLANs you configured on the Firebox.
- Configure the switch interfaces that connect to the Firebox and the AP to send and receive tagged traffic for the VLANs assigned to each SSID.
- Configure the switch interfaces that connect to the Firebox and the AP to send and receive tagged or untagged traffic for the AP management .
- If management communications VLAN tagging is not enabled in the AP configuration, configure the switch to send and received untagged traffic for the VLAN you use for AP management.
- If management communications VLAN tagging is enabled for the AP, configure the switch to send and receive tagged traffic for the VLAN you use for AP management.
For instructions to enable and configure the VLANs on your switch, see the documentation for your switch.
If you have enabled VLAN tagging in the SSIDs on your AP, do not connect your AP to a switch that does not support 802.1Q VLAN tagging.
WatchGuard AP Deployment Overview