This article describes how to set up a guest network in a WLAN controller by means of VLAN.
Even though we are using VLAN, there is no need to activate the VLAN module of the WLAN controller, nor is it necessary to assign a VLAN ID to the management network. Active tagging is implemented by the access points and switches.
If the Public Spot is operated, the WLAN controller must be the gateway in the Public Spot network. In this case, scenario 2 has to be used.
1) An upstream router is operated in the guest network:
In addition to an internal WLAN, an additional WLAN is to be created for guests.
The internal WLANshould use VLAN 1and the guest network should use VLAN 2.
The WLAN controller merely distributes the WLAN configuration to the access points, but is not itself located in the guest network and it does not provide any services there (e.g. DHCP or DNS).
The separation of the management network and guest network must be performed on the upstream router.
Image Removed
Image Added
2) The WLAN controller acts as a gateway in the guest network:
In addition to an internal WLAN, an additional WLAN is to be created for guests.
The internal WLANshould use VLAN 1and the guest network should use VLAN 2.
The WLAN controller distributes the WLAN configuration to the access points and is also located in the guest network. In the guest network, it acts as a gateway as well as the DHCP and DNS servers.
The separation of the management network and guest network must be performed on the WLAN controller.
The guest network should not be set up on the upstream router: Otherwise the IP address of the router could be manually assigned to a client as the default gateway, which would bypass the WLAN controller! This is especially important when operating the Public Spot.
Image Removed
Image Added
1) An upstream gateway is operated in the guest network:
1.1) Open the configuration of the WLAN controller in LANconfig and navigate to the menu WLAN controller
→ Profiles
→ Logical WLAN networks (SSIDs).
Image Removed
Image Added
1.2) Create a new profile for the internal WLANand enter the following parameters:
Name: Enter a descriptive name.
Network name (SSID): Give a name to theSSID, which is displayed to the wireless devices.
Connect to SSID: Leave the setting LAN at AP.
VLAN mode: Leave the setting Untagged. This means that VLAN 1is used implicitly.
Encryption: Leave the setting 802.11i (WPA)-PSK.
Key 1/passphrase: Set a WPA keyfor the WLAN.
The WPA key must be at least 8 characters long.
Image Removed
Image Added
1.3) Create a further profile for the guest networkand enter the following parameters:
Name: Enter a descriptive name.
Network name (SSID): Give a name to theSSID, which is displayed to the wireless devices.
Connect SSID to: Leave the setting LAN at AP.
VLAN mode: From the drop-down menu, select Untagged.
VLAN-ID: Enter the VLAN ID 2here.
Encryption: Leave the setting 802.11i (WPA)-PSK.
Key 1/passphrase: Set a WPA keyfor the WLAN.
The WPA key must be at least 8 characters long.
Image Removed
1.4) Navigate to the menu WLAN controller
→ Profiles
→ Physical WLAN parameters.
Image Removed
Image Added
1.5) Create a new entry and enter the following parameters:
Name: Enter a descriptive name.
Auto. channel selection: Set a fixed channel patternfor the 2.4-Ghz band (e.g. 1, 6, 11).
Set a checkmark for VLAN module of the managed access points activated.
The channel pattern 1, 6, 11may not necessarily be the optimum. Depending on the environmental conditions, another channel pattern (such as 1, 5, 9, 13) may make more sense.
Set a checkmark for VLAN module of the managed access points activated.
Image Removed
Image Added
1.6) Navigate to the menu WLAN controller
→ Profiles
→ WLAN profiles.
Image Removed
Image Added
1.7) Create a new entry and enter the following parameters:
Profile name: Enter a descriptive name.
WLAN network list: Select the Logical WLAN networks (SSIDs)that you created in steps 1.2and 1.3.
Physic. WLAN parameters: Using the drop-down menu, select the physical WLAN parameterscreated in step 1.5.
Image Removed
Image Added
1.8) You can now write the configuration back to the device. This concludes the configuration steps on the WLAN controller.
2) The WLAN controller acts as a gateway in the guest network:
The basic configuration of scenario 2is done the same way as for scenario 1. However, scenario 2requires some additional settings to be made.
2.1) Creating a guest network and activating the DHCP server:
2.1.1) Switch to the menu IPv4
→ General
→ IP networks.
Image Removed
Image Added
2.1.2) Create a new entry for the Guest Networkand enter the following parameters:
Network name: Enter a descriptive name.
IP address: Enter an IP addressfrom the IP address range intended for the guest network.
Netmask: Enter the subnet maskintended for the guest network.
VLAN-ID: Enter the VLAN ID 2intended for the guest network.
Image Removed
Image Added
2.1.3) Switch to the menu IPv4
→ DHCPv4
→ DHCP networks.
Image Removed
Image Added
2.1.4) Create a new entry for the Guest Networkand enter the following parameters:
Network name: From the drop-down menu, select the guest networkcreated in step 2.1.2.
DHCP server enabled: Select Yesfrom the drop-down menu.
You can restrict the address range by setting the first address, last address, netmask, broadcast
and the default gateway. If these items are left empty, the device calculates the parameters automatically based on the entries under IP networks.
Image Removed
2.2) Use the firewall to block communication from the guest network to the internal network and allow DNS requests from the guest network:
2.2.1) Navigate to the menu Firewall/QoS
→ IPv4 rules
→ Rules.
Image Removed
Image Added
2.2.2) Create a new rule and, on the Generaltab, give it a
descriptive name.
Image Removed
Image Added
2.2.3) Change to the Actionstab and
make sure, that the action object REJECTis in place.
Image Removed
Image Added
2.2.4) Change to the Stationstab, choose connections from the following stationsand click Add
→ Add custom station.
Image Removed
Image Added
2.2.5) From the drop-down menu for the Network name, select the Guest Network.
Image Removed
Image Added
2.2.6) Set the Connection destinationto the item connections to the following stationsand click Add
The object LOCALNETcontains all local networks, including the INTRANET.
Instead of the object LOCALNET, you can also select the INTRANETitself.
Image Removed
Image Added
2.2.7) Click OKto create the firewall rule.
Image Removed
Image Added
Select the firewall rule created in steps 2.2.2 - 2.2.7and click on Copyto create an
additional firewall rule, which allows DNS requests from the guest network.
Image Removed
Image Added
2.2.9) On the Generaltab, adjust the Nameof the rule accordingly.
Image Removed
Image Added
2.2.10) Switch to the Actionstab, delete the object REJECT and add the object ACCEPTinstead.
Image Removed
Image Added
2.2.11) Navigate to the Servicestab. Under Protocols/target servicesselect the item the following protocols/target servicesand click Add.
Image Removed
Image Added
2.2.12) Select the protocol DNS.
Image Removed
Image Added
2.2.13) You can now write the configuration back to the device. This concludes the configuration steps on the WLAN controller.