Advanced Settings for a Private Network

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

To configure advanced settings for a private wireless network:

  1. Select a private Wi-Fi network or add a new private Wi-Fi network.
  2. Click Advanced.

WatchGuard Go Advanced Settings for Private Network

  1. Enable or disable DHCP for the wireless network SSID.

When enabled, APs on the network SSID provide private DHCP addresses from a local NAT pool to connecting clients. We recommend you do not enable DHCP so that connecting wireless clients use your network DHCP server.

These configuration settings are applied to the SSID Profile when DHCP is enabled:

  • The SSID Profile selects a random /24 network from a private address range for IP address allocation. For example,
  • The server is configured as a DNS server by DHCP on the AP.
  1. Enable or disable Content Filtering for the wireless network. The Content Filtering option is only visible when DHCP is enabled in Go.

If you enable Content Filtering, select a security policy to block content for the wireless network. These policies use Neustar UltraRecursive DNS servers to protect traffic. Neustar UltraRecursive DNS content filtering is intended for use by small deployments. For large enterprise deployments, you must subscribe to Neustar UltraRecursive DNS Enterprise services.

The Neustar DNS server addresses are and

  • Security — Block malware, phishing, and scam sites.
  • Pornography — Block sites that contain sexually explicit material.
  • Other — Block sites that feature the following: mature content, abortion, alcohol, crime, drugs, file sharing, gambling, hate, suicide, tobacco, or violence.
  • Custom — Select Custom to use custom DNS server IP addresses. For example, you can use these WatchGuard DNSWatch servers. For more information, see Configure Wi-Fi Cloud content filtering to use WatchGuard DNSWatch.
  • North America (US East) —,
  • EU (Ireland) —,
  • APAC (Japan) —,
  • APAC (Sydney) —,

WatchGuard DNSWatch is only able to filter known malicious domains such as phishing sites, and does not filter other objectionable content.

These rules with the selected DNS server IP addresses are added to the Firewall settings of the SSID when Content Filtering is enabled:

  • Allow Selected DNS UDP (for the specified hosts)
  • Allow Selected DNS TCP (for the specified hosts)
  • Disallow Other DNS UDP
  • Disallow Other DNS TCP
  1. To create a schedule for the wireless network, in the WiFi Network Scheduling section, click Edit.
  • In the Validity drop-down list, select Now to Forever or Select Dates.
  • Select the Custom Time Slot check box to customize the time schedule.
  • When finished, click Set Schedule.

WatchGuard Go Network Schedule settings

  1. Click Save.