Creating Segregated SSIDs with VLANs using Zyxel AP and AP Controller(USG FLEX)

Zyxel_Kay

Background:

In the office environment we would like to seperate the network traffic from employee and guest. Here a guidance to create two SSID in seperate VLAN with Zyxel AP and USG FLEX firewall.

Scenario:

In this scenario, the AP is managed by the firewall, and there are two SSIDs: one for employees using VLAN10 and one for guests using VLAN20. Both VLAN10 and VLAN20 clients must obtain DHCP IP addresses from the firewall. Additionally, a security policy must be implemented to restrict guest users from accessing employee devices.

Steps:

1. Access the firewall’s Web GUI
   • Connect your PC to the switch and access the firewall’s Web GUI.
2. Open Quick Setup
   • From the main dashboard, click the Wizard Icon to open the Quick Setup menu. Select Wireless Setup.
     
3. Select Management Mode
   • Ensure that AP Controller is selected as the management mode.
     
4. Create SSIDs
   • Turn on the status for 2 SSIDs. Edit each SSID by entering the wireless name, VLAN ID, and security settings.
     
5. Review Radio Settings
   • Simply click next on the radio settings page without changing any functions.
     
6. Save Wireless Setup
   • Review the summary of your wireless setup and press the SAVE button to complete the wizard.
     
7. Add AP to the Managed List
   • Navigate to MONITOR > Wireless > AP Information to access the AP List page. Select your AP and click the “plus” button to switch it to controller-managed mode. The ZyWALL will then synchronize all wireless settings to the managed APs. A green tick icon indicates a successful addition.
     
8. (Optional) Change AP’s IP Address
   • Modify AP IP settings via the firewall’s AP list page. Check "Force Overwrite IP setting" if needed.
     
9. Create VLAN10 Interface for Employee SSID
   • Select Interface in the Menu and click on the VLAN tab. Add the VLAN10 settings as indicated. Set the DHCP lease time to 1 day for employee devices.
     
10. Create VLAN20 Interface for Guest SSID
    • Add the VLAN20 settings as indicated. Set the DHCP lease time to 8 hours for guest devices to prevent the DHCP pool from running out quickly.
      
11. Create Address Objects for VLAN Interfaces
    • Create address objects for each VLAN interface. Use the “interface subnet” type and select the VLAN interfaces created.
      
12. Create Security Policy to Block Traffic
    • Go to the Security policy page and add a rule to block traffic from VLAN20 to VLAN10. Set the Source to the Guest_VLAN object and the Destination to the Employee_VLAN object. Ensure the Action is set to deny.
      

What Could Go Wrong

• AP Not Appearing in Managed List: Ensure AP is on the local subnet and firmware is up-to-date. Check network cables and connections.
• SSIDs Not Broadcasting: Verify SSID status and correct VLAN IDs. Ensure radio settings match device compatibility.
• Clients Not Receiving DHCP Addresses: Check ZyWALL DHCP server settings and VLAN interface configurations. Resolve any IP conflicts.
• Guests Accessing Employee Network: Review security policy settings. Confirm correct source/destination objects and set rule action to deny.
• Managed Switch Interference: If you're using a managed switch between your firewall and AP, please ensure VLAN traffic is allowed and configured correctly on switch ports. Check VLAN tagging and trunking settings.
• Network Performance Issues: Address interference, optimize AP placement, and monitor network load and bandwidth usage.