Solved

SonicWall TZ210 w SonicPoint mulitiple SSID - corporate and guest setup

Posted on 2011-03-23
19
10,048 Views
Last Modified: 2012-11-13
I have setup a TZ210 and 8 SonicPoint Ni, the LAN works flawless, and I then added the Sonic Points to a switch and used interface X2 for the SonicPoints, they are working flawless for the corporate wifi. Now we need to add guest access. I am having issues following the manual. I do not have the ability to add a new Network Interface. When I break the bridge from X2 to X0 I still dont have the abilty to add an interface.
To sum it up I need the SonicPoint to broadcast 2 SSIP - one for corporate with access to the LAN devices, resources, and internet, one for Guest with access to internet only.
The TZ20 is the wireless model, with the built in WIFI radio currently disabled. Firmware is Current (has to be to recognize the SonicPoint Ni.)
0
Comment
Question by:nextwavepc
  • 8
  • 6
  • 3
  • +1
19 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35200995
ok...now that the bridge is broken, can you post a sanitized screen shot of your interface page again?
0
 

Author Comment

by:nextwavepc
ID: 35201160
tz210
0
 
LVL 33

Expert Comment

by:digitap
ID: 35201290
are you running the standard OS? i didn't think you could get the 210 with anything but enhanced. go to system > status. you should see it right there with the version of OS.

i'm looking into other reasons why you'd be missing that Add Interface button.
0
 

Author Comment

by:nextwavepc
ID: 35201364
I do believe it is the enhanced.

Firmware Version: SonicOS Enhanced 5.6.0.10-52o  
 
 
Safemode Version: Safemode 5.0.1.13  
 
 
ROM Version: SonicROM 5.0.2.11  
 
 
CPUs: 1.33% - 500 MHz Mips64 Octeon Processor  
 
 
Total Memory: 256 MB RAM, 32 MB Flash
 
 
System Time: 03/23/2011 14:41:59
 
 
Up Time: 0 Days 01:12:49
 
 
Connections: Max:  10000  Peak:  107 Current:  50
 
 
 
Connection Usage: 0.500%
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35201577
i checked my sonicwall account and there is only one fimrware type and it's for enhanced. i was looking at one of my 210s and see it doesn't have the add interface either. i looked over the corporate VAP referenced above, and found this line at the beginning.

Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless (SonicOS Enhanced 5.6.3.0 and above)

notice the version. there is a pre-release currently and it is 5.8.0. your 210 and my 210 are the same version, 5.6.0. i think that might be the problem.

i'm updating my 210 to the 5.8.0.2 version now. i'll let you know if i get the add interface function.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35201594
that was it. take your 210 to version 5.8.0.2. i now have the Add Interface button. this should allow you to complete the steps referenced above.
0
 

Author Comment

by:nextwavepc
ID: 35201690
I am attempting that now. I will let you know how that goes. Should have thought of that. I had terrible issues with adding the Ni's and it was all due to the firmware not being current. sigh.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35201708
yes. there has been several firmware "transition" issue that i've encountered with the sonicpoints between 5.0 and 5.8. it's been a real pain.
0
 

Author Comment

by:nextwavepc
ID: 35201764
Firmware Version: SonicOS Enhanced 5.8.0.2-37o
 
 
Safemode Version: SafeMode 5.0.1.13
 
 
ROM Version: SonicROM 5.0.2.11

We are now updated. Now where do I head? To the manual?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 33

Expert Comment

by:digitap
ID: 35201816
yep....the manual is the best place to start. how are your sonicpoints connecting to your sonicwall presently?

my advice, which isn't in the KBs, is to completely segregate your sonicpoints. if you have a switch you are not using, then i'd connect ONLY the sonicpoints to it. if you don't and you need to setup vlans to segregate your sonicpoint vlan traffic from the rest of your network, you'll make the ports the sonicpoints connect to and the sonicwall X2 interface "untagged" members of the BOTH vlans you create on the X2 interface.
0
 

Author Comment

by:nextwavepc
ID: 35201866
I do have a seperate switch for only the SoincPoints. I was running every thing perfect till this.
Configuring it all now. Ill let you know how it works out.
Thanks.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35201871
cool.
0
 
LVL 3

Expert Comment

by:gilm0079
ID: 35206155
Here is what you need to do.

You will need to setup virtual access points.  There are many steps to doing this.  I may not have them in the right order, but it won't let you setup some of these things until you have the other ones setup.

1. create VLANs for each of your wireless networks.  Depending on your network setup there are different ways to do this.  If your soincpoints are going to have a dedicated interface on the firewall (not used by LAN traffic) then that interface needs to have DHCP, allow sonicpoints, etc.  This interface will be your sonicpoint provisioning interface.  The DHCP server for this segment will only give out IPs to sonicpoints (not wifi users).  You will then need to make VLANs using this interface as your parent interface.  1 VLAN for each wifi network.

2. create a zone for each wifi network.  each wifi network including the provisioning network needs to have a zone associated with it.  I would recommend having a separate zone for each network to give you the most flexibility.

3. Create virtual access point (VAP) profiles.  These are templates for your VAPs.  

4. Create VAPs from your VAP profiles.  Make sure each is assigned to the appropriate VLAN.  VAPs should not be associated with the provisioning network.  Your physical sonicpoints will use this for getting a management IP for themselves.

5. Put your VAPs in a VAP group

6. Assign that VAP group to your sonicpoints

That should get you running.  Each zone (wifi network) can now be access controlled from your firewall access rules.  If you are like us and want to use your corporate DHCP server to lease out IPs for your virtual access points there is one more step.  Instead of having DHCP servers on each of your VLANs and the provisioning network you would want to put an IP helper rule in place for the DHCP protocol from the zone to the IP of the DHCP server.  This will forward the DHCP request broadcast packets to your DHCP server.  Assuming you have a DHCP scope in place for each of the subnets it will choose the correct one (by design of the DHCP request).

If you need to have a managed switch between your sonicpoint and sonicwall firewall let me know and I can go into detail on the setup required for that.
0
 

Author Closing Comment

by:nextwavepc
ID: 35213970
Since I was not able to add VAPs - though I knew how, It was purely based on the firmware not being current - though I had stated it was. Go figure. Thanks, that was the key to proceeding further and adding my second SSID.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35214530
glad things worked out and i learned something in the process too. thanks for the points!
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 35909052
gilm0079
If you have documentation about utilizing a managed switch between the SonicWALL router and the SonicPointNi interfaces I'd be happy to see that.

Sorry about being off-topic...
0
 
LVL 3

Expert Comment

by:gilm0079
ID: 35960393
I don't have any documents on it.  Most switches operate the same as far as VLAN memberships.  If you are doing the setup like I am and your sonicpoint provisioning subnet plus each wifi subnet are VLANs of a physical interface on your sonicwall firewall then you switches will need to have the port going towards your sonicwall and towards your sonicpoints "Tagged" with the provisioning VLAN and each Wifi VLAN.  The only difference is when you get to the managed switch directly connected to your sonicpoint.  That's where your provisioning VLAN needs to be "Untagged".

As for DHCP routing, our sonicwall acts as the bridge between our VLANs so for us we put in iphelper policies on the sonicwall to help DHCP requests from each wifi subnet to the DHCP server.  If your switches handle your VLAN bridging then you will need to put iphelper rules in on them to help the DHCP broadbast packets over to your DHCP server.
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 35963890
I broke into the IP Helper but haven't had a chance to test my new configuration.

SonicWALL allows you to assign multiple VLAN's to the same SonicPoints so you can set up guest access AND secured/employee access simutaneously.  This is very convenient but extremely inconvenient if you can't assign more than one VLAN to a managed switch port.

Easier to just replace the managed switch with a simple POE switch instead, it seems.
0
 
LVL 3

Expert Comment

by:gilm0079
ID: 35966460
All managed switches should allow you to assign as many VLANs to a switch port as you want.  You may be looking in the wrong place.  You don't want to assign a "Customer VLAN" or "PVID" to the port.  What that does is takes ingress untagged packets and assigns them to the PVID and takes tagged packets from that VLAN and untagges them egress from the port.

Usually switches call it VLAN membership or something like that.  I would refer to your user manual for your specific switch on this.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now