Description:
This article describes how to set up a guest network in a WLAN controller by means of VLAN.

Even though we are using VLAN, there is no need to activate the VLAN module of the WLAN controller, nor is it necessary to assign a VLAN ID to the management network. Active tagging is implemented by the access points and switches.


Requirements:





Scenario:

If the Public Spot is operated, the WLAN controller must be the gateway in the Public Spot network. In this case, scenario 2 has to be used.


1) An upstream router is operated in the guest network:

  • In addition to an internal WLAN, an additional WLAN is to be created for guests.
  • The internal WLAN should use VLAN 1 and the guest network should use VLAN 2.
  • The WLAN controller merely distributes the WLAN configuration to the access points, but is not itself located in the guest network and it does not provide any services there (e.g. DHCP or DNS).
  • The separation of the management network and guest network must be performed on the upstream router.




2) The WLAN controller acts as a gateway in the guest network:
      • In addition to an internal WLAN, an additional WLAN is to be created for guests.
      • The internal WLAN should use VLAN 1 and the guest network should use VLAN 2.
      • The WLAN controller distributes the WLAN configuration to the access points and is also located in the guest network. In the guest network, it acts as a gateway as well as the DHCP and DNS servers.
      • The separation of the management network and guest network must be performed on the WLAN controller.

The guest network should not be set up on the upstream router: Otherwise the IP address of the router could be manually assigned to a client as the default gateway, which would bypass the WLAN controller! This is especially important when operating the Public Spot.




Procedure:
1) An upstream gateway is operated in the guest network:
1.1) Open the configuration of the WLAN controller in LANconfig and navigate to the menu WLAN controller → Profiles → Logical WLAN networks (SSIDs).
1.2) Create a new profile for the internal WLAN and enter the following parameters:
  • Name: Enter a descriptive name.
  • Network name (SSID): Give a name to the SSID, which is displayed to the wireless devices.
  • Connect to SSID: Leave the setting LAN at AP.
  • VLAN mode: Leave the setting Untagged. This means that VLAN 1 is used implicitly.
  • Encryption: Leave the setting 802.11i (WPA)-PSK.
  • Key 1/passphrase: Set a WPA key for the WLAN.

The WPA key must be at least 8 characters long.

1.3) Create a further profile for the guest network and enter the following parameters:
  • Name: Enter a descriptive name.
  • Network name (SSID): Give a name to the SSID, which is displayed to the wireless devices.
  • Connect SSID to: Leave the setting LAN at AP.
  • VLAN mode: From the drop-down menu, select Tagged.
  • VLAN-ID: Enter the VLAN ID 2 here.
  • Encryption: Leave the setting 802.11i (WPA)-PSK.
  • Key 1/passphrase: Set a WPA key for the WLAN.

The WPA key must be at least 8 characters long.

1.4) Navigate to the menu WLAN controller → Profiles → Physical WLAN parameters.

1.5) Create a new entry and enter the following parameters:
  • Name: Enter a descriptive name.
  • Auto. channel selection: Set a fixed channel pattern for the 2.4-Ghz band (e.g. 1, 6, 11).
  • Set a checkmark for VLAN module of the managed access points activated.

The channel pattern 1, 6, 11 may not necessarily be the optimum. Depending on the environmental conditions, another channel pattern (such as 1, 5, 9, 13) may make more sense.

1.6) Navigate to the menu WLAN controller → Profiles → WLAN profiles.
1.7) Create a new entry and enter the following parameters:
  • Profile name: Enter a descriptive name.
  • WLAN network list: Select the Logical WLAN networks (SSIDs) that you created in steps 1.2 and 1.3.
  • Physic. WLAN parameters: Using the drop-down menu, select the physical WLAN parameters created in step 1.5.
1.8) You can now write the configuration back to the device. This concludes the configuration steps on the WLAN controller.


2) The WLAN controller acts as a gateway in the guest network:
The basic configuration of scenario 2 is done the same way as for scenario 1. However, scenario 2 requires some additional settings to be made.

2.1) Creating a guest network and activating the DHCP server:
2.1.1) Switch to the menu IPv4 → General → IP networks.
2.1.2) Create a new entry for the Guest Network and enter the following parameters:
  • Network name: Enter a descriptive name.
  • IP address: Enter an IP address from the IP address range intended for the guest network.
  • Netmask: Enter the subnet mask intended for the guest network.
  • VLAN-ID: Enter the VLAN ID 2 intended for the guest network.
2.1.3) Switch to the menu IPv4 → DHCPv4 → DHCP networks.
2.1.4) Create a new entry for the Guest Network and enter the following parameters:
      • Network name: From the drop-down menu, select the guest network created in step 2.1.2.
      • DHCP server enabled: Select Yes from the drop-down menu.

You can restrict the address range by setting the first address, last address, netmask, broadcast and the default gateway. If these items are left empty, the device calculates the parameters automatically based on the entries under IP networks.


2.2) Use the firewall to block communication from the guest network to the internal network and allow DNS requests from the guest network:
2.2.1) Navigate to the menu Firewall/QoS → IPv4 rules → Rules.
2.2.2) Create a new rule and, on the General tab, give it a descriptive name.
2.2.3) Change to the Actions tab and make sure, that the action object REJECT is in place.
2.2.4) Change to the Stations tab, choose connections from the following stations and click Add → Add custom station.
2.2.5) From the drop-down menu for the Network name, select the Guest Network.
2.2.6) Set the Connection destination to the item connections to the following stations and click Add → LOCALNET.

The object LOCALNET contains all local networks, including the INTRANET. Instead of the object LOCALNET, you can also select the INTRANET itself.

2.2.7) Click OK to create the firewall rule.
2.2.8) Select the firewall rule created in steps 2.2.2 - 2.2.7 and click on Copy to create an additional firewall rule, which allows DNS requests from the guest network.
2.2.9) On the General tab, adjust the Name of the rule accordingly.
2.2.10) Switch to the Actions tab, delete the object REJECT and add the object ACCEPT instead.
2.2.11) Navigate to the Services tab. Under Protocols/target services select the item the following protocols/target services and click Add.
2.2.12) Select the protocol DNS.
2.2.13) You can now write the configuration back to the device. This concludes the configuration steps on the WLAN controller.