Creating Segregated SSIDs with VLANs using Zyxel AP and AP Controller(USG FLEX)
Background:
In the office environment we would like to seperate the network traffic from employee and guest. Here a guidance to create two SSID in seperate VLAN with Zyxel AP and USG FLEX firewall.
Scenario:
In this scenario, the AP is managed by the firewall, and there are two SSIDs: one for employees using VLAN10 and one for guests using VLAN20. Both VLAN10 and VLAN20 clients must obtain DHCP IP addresses from the firewall. Additionally, a security policy must be implemented to restrict guest users from accessing employee devices.
Steps:
- Access the firewall’s Web GUI
- Connect your PC to the switch and access the firewall’s Web GUI.
- Open Quick Setup
- From the main dashboard, click the Wizard Icon to open the Quick Setup menu. Select Wireless Setup.
- Select Management Mode
- Ensure that AP Controller is selected as the management mode.
- Create SSIDs
- Turn on the status for 2 SSIDs. Edit each SSID by entering the wireless name, VLAN ID, and security settings.
- Review Radio Settings
- Simply click next on the radio settings page without changing any functions.
- Save Wireless Setup
- Review the summary of your wireless setup and press the SAVE button to complete the wizard.
- Add AP to the Managed List
- Navigate to MONITOR > Wireless > AP Information to access the AP List page. Select your AP and click the “plus” button to switch it to controller-managed mode. The ZyWALL will then synchronize all wireless settings to the managed APs. A green tick icon indicates a successful addition.
- (Optional) Change AP’s IP Address
- Modify AP IP settings via the firewall’s AP list page. Check "Force Overwrite IP setting" if needed.
- Create VLAN10 Interface for Employee SSID
- Select Interface in the Menu and click on the VLAN tab. Add the VLAN10 settings as indicated. Set the DHCP lease time to 1 day for employee devices.
- Create VLAN20 Interface for Guest SSID
- Add the VLAN20 settings as indicated. Set the DHCP lease time to 8 hours for guest devices to prevent the DHCP pool from running out quickly.
- Create Address Objects for VLAN Interfaces
- Create address objects for each VLAN interface. Use the “interface subnet” type and select the VLAN interfaces created.
- Create Security Policy to Block Traffic
- Go to the Security policy page and add a rule to block traffic from VLAN20 to VLAN10. Set the Source to the Guest_VLAN object and the Destination to the Employee_VLAN object. Ensure the Action is set to deny.
What Could Go Wrong
- AP Not Appearing in Managed List: Ensure AP is on the local subnet and firmware is up-to-date. Check network cables and connections.
- SSIDs Not Broadcasting: Verify SSID status and correct VLAN IDs. Ensure radio settings match device compatibility.
- Clients Not Receiving DHCP Addresses: Check ZyWALL DHCP server settings and VLAN interface configurations. Resolve any IP conflicts.
- Guests Accessing Employee Network: Review security policy settings. Confirm correct source/destination objects and set rule action to deny.
- Managed Switch Interference: If you're using a managed switch between your firewall and AP, please ensure VLAN traffic is allowed and configured correctly on switch ports. Check VLAN tagging and trunking settings.
- Network Performance Issues: Address interference, optimize AP placement, and monitor network load and bandwidth usage.
Kay
Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight