Network Settings

You can configure the VLAN and DHCP settings used by an SSID profile in the Network section.

A bridged network is used when the AP and the clients associating with the AP are in the same subnet.

Similarly, Network Address Translation (NAT) must be used when you want to have the clients in a separate subnet and the AP is in a separate subnet. With NAT, the clients can have a private IP address pool.


You can map your wireless network SSID to a VLAN mapping on your network. A Virtual Local Area Network (VLAN) enables you to logically organize separate virtual networks within your physical network regardless of the location of your clients. Clients on a VLAN communicate as if they are on the same physical network. VLANs use an ID to identify the VLAN on the network. VLANs can be tagged (VLAN information is tagged within the Ethernet frame for communication with a VLAN-enabled switch), or untagged (no VLAN information sent). You can assign a VLAN ID from 0 to 4094 for each SSID. There is no theoretical limit to the number of SSIDs you can create, however, you can only assign a maximum of 8 SSIDs per radio on an AP.

The default VLAN ID is 0. To map to an untagged VLAN on your switch port, use the default value of 0 for the VLAN ID, regardless of the VLAN ID assigned to the untagged VLAN on the switch. Otherwise, type a VLAN ID from 1-4094.

You can also use Dynamic VLANs with Wi-Fi Cloud. A Dynamic VLAN automatically manages VLAN port configuration based on the client's MAC address and authentication to the network, and enables you to use multiple VLANs with a single SSID. Wi-Fi Cloud supports 32 Dynamic VLANs per SSID and up to 4 SSIDs with Dynamic VLANs per AP. This provides a total of up to 128 Dynamic VLANs per device template configuration for an AP. There is no theoretical limit to the number of device templates you can create. For more information on how to configure Dynamic VLANs in a device template, see Dynamic VLAN Assignment in Wi-Fi Cloud.

Wired LAN Extension with Second Ethernet Port on AP

You can extend a wireless LAN with NAT enabled to the wired network using an additional LAN port on an AP. You must create an isolated wired LAN with one or more wired devices connected through Layer 2 switches and connect the additional LAN port of the AP to this wired subnet.

The wired LAN extends the wireless LAN of this SSID profile. All network settings including NAT settings and any portals configured on this SSID profile are also applicable to the wired devices.

To enable a wired extension of the SSID, select the Enable Wired Extension check box when you configure NAT on the SSID.

Configure NAT Settings

When you configure NAT parameters, you must specify at least one DNS server. After a client associates successfully, the client receives the specified DNS services. You can specify up to three DNS server IP addresses.

Generic Routing Encapsulation (GRE) is useful when you want to route network traffic from and to a single end point and apply policies on this end point.

GRE is available only when NAT is enabled.

To configure network address translation settings:

  1. Specify the VLAN ID to configure NAT settings.
  2. To enable NAT, select the NAT option.
  3. Specify the NAT settings:




Select this check box to enable NAT (network address translation). Enable NAT if you want to enable a wired extension.

Start IP address

The starting IP address of the DHCP address pool in the selected network ID.

End IP address

The end IP address of the DHCP address pool in the selected network ID.

Local IP address

An IP address in the selected network ID outside of the DHCP address pool. This address is used as the gateway address for the guest wireless network.

Subnet Mask

The net mask for the selected network ID.

Lease Time

The DHCP lease time in minutes. Minimum value is 30 minutes. Maximum value is 1440 minutes.

DNS Servers

The DNS servers that the wireless clients can make DNS queries to. You can specify up to three DNS servers.

Enable Wired Extension

Extends this wireless LAN to the wired network using an additional LAN port on the AP.

  1. Select the GRE check box if you want to enable Generic Routing Encapsulation (GRE).

Configure these settings for Generic Routing Encapsulation.




Enable Generic Routing Encapsulation (GRE).

Tunnel IP Address

IP address of the GRE tunnel interface on the access point. This IP address should not conflict with any other network setting in the AP.

Remote Endpoint IP Address

IP address of the remote endpoint of the GRE tunnel.


The key in the GRE header. If configured, the key should be same at both ends of the tunnel. This key is optional.

Exempted Host/Network List

List of comma separated network or IP addresses that are exempted from using the GRE tunnel.

  1. Click Save.

Enable/Disable DHCP Option 82

DHCP Option 82 is used in distributed DHCP server environments where an AP inserts additional information to identify the client point of attachment. The circuit ID represents the client point of attachment.

DHCP Option 82 is available for a bridged SSID only.

When DHCP option 82 is enabled and the AP receives DHCP packets from the client, the AP appends a circuit ID to the DHCP packets from the client. It then forwards this DHCP request to the DHCP server. Based on the circuit ID in the DHCP request, the DHCP server makes a decision on the IP pool from which to assign an IP address to the client. When DHCP assigns the IP address and passes it to the AP, the AP passes it on to the client after it strips the circuit ID.

To enable DHCP Option 82 in an SSID profile:

  1. Expand the Network section.
  2. Select the Bridged option.
  3. Select the DHCP Option 82 check box.
  4. Type the Circuit ID.
    You can use one or more special format specifiers: %s, %m, %l and/or %n.
    The AP replaces %s with the SSID.
    The AP replaces %m with the AP MAC address.
    The AP replaces %l  with the location tag configured for the location to which the AP is assigned. The location tag can be configured on the Configuration > System Settings > Location Specific Attributes page.
    The AP replaces %n with the device name.
  5. Click Save.

Configure Inter AP Coordination

APs periodically broadcast data to other APs through inter-AP coordination for fast handover and seamless roaming of clients across APs in the same subnet or APs at the same location. This data is also shared from the parent location to child locations.

Broadcasts can occur through the Manage service or Layer 2 broadcast. Layer 2 broadcast occurs on the SSID VLAN. If Layer 2 GRE is enabled, it occurs on the communication VLAN.

To configure inter-AP coordination:

  1. Expand the Network section in an SSID profile.
  2. In the Inter AP Coordination section, select L2 Broadcast or Manage Server.
  3. Click Save.

Remote Bridging

To channel all wireless traffic to a remote endpoint or gateway through a tunnel, you must enable remote bridging. The remote endpoint or gateway aggregates wireless frames from different APs and forwards them to the appropriate network.

You must configure a network interface profile before you enable remote bridging so that you can assign the network interface profile to the SSID profile. When you enable remote bridging and assign a network interface profile to the SSID profile, the wireless traffic from the AP is bridged to the remote endpoint configured in the network interface profile. The traffic is rerouted to the appropriate network from this remote endpoint.

When you disable remote bridging, the AP stops diverting the wireless traffic to the remote endpoint configured in the network interface profile that was selected when remote bridging was enabled.

You cannot enable Remote bridging with NAT enabled.

To enable remote bridging:

  1. Expand the Network section in an SSID profile.
  2. Select the Bridged option.
  3. Select the Remote Bridging check box.
  4. From the Network Interface Profile drop-down list, select a network interface profile.
  5. Select the Use tunneling for inter AP co-ordination check box to allow the transmission of inter-AP coordination packets through an EoGRE tunnel when remote bridging is enabled.

Broadcast of certain information from one AP to other APs through inter-AP coordination is required for fast handoff and seamless roaming of clients across APs in the same subnet or APs at the same location.

  1. Click Save.

Proxy ARP and NDP

When this settings is enabled, WatchGuard APs filter downstream ARP (IPv4) and NDP (IPv6) packets and also respond as appropriate on behalf of wireless clients to conserve wireless bandwidth.

This setting cannot be disabled if Disable DGAF is enabled in your Hotspot 2.0 settings.