[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I setup a VLAN for internet access only using a Linksys WRT54G,  2 Cisco SG 300-28, and a SonicWALL TZ 210?

Posted on 2011-10-03
13
Medium Priority
?
2,712 Views
Last Modified: 2013-11-09
My Equipment:
2 Cisco SG 300-28 (in pretty much default setup)
1 SonicWALL TZ 210 wireless N Network Security Appliance
2 Linksys WRT54G configured as Access Points
1 HP ProLiant DL360 G7 (that handles DHCP) running Windows Server 2008 R2 Enterprise
30 Desktop/Laptop XP/Windows 7 computers that are connected to the Domain
Various personal devices that are WiFi enabled

Situation: I would like to create a VLAN that would allow the personal or Guest devices (iPhones/iPads, Personal Laptops, etc.) to have access to the internet on one of the Linksys routers called Guest Access. At present my network looks like this:

Computers/Servers (wired)------Switch1/2-----------SonicWALL----internet
                                                        |
Wireless devices-----Linksys APs-- -|

Question: How do I connect the VLAN for the Guest Access to the Internet and keep it completely separate from the rest of the network? Thank you for your time.
0
Comment
Question by:CAllenLong
  • 6
  • 4
11 Comments
 
LVL 6

Expert Comment

by:Sid_F
ID: 36904770
I would create a public zone on the sonicwall, assign the zone to a port e.g x5, connect the linksys to the port. You will obviously need to create rules. You will need to setup dhcp on the zone as it will be a public zone so will not be able to contact the server.
0
 

Author Comment

by:CAllenLong
ID: 36904976
So let me if I get this straight.

First create a VLAN that has two ports. One, port x4, is connected to  the Linksys router "Guest Access" that sits by my desk, the other, port x5, I would connect to the Sonicwall. Next I go to the Sonicwall and create a public zone, create some "rules" (I think I understand what you mean by this), and setup DHCP on this zone.

I assume I can serve DHCP from the Linksys for this senario?
Will I need to do any configuration on the switch beyond creating a VLAN with ports x4 and x5 in it?
Do I need to do any configuration on the ports themselves in the switch?

Please assume that I am just a button-clicking monkey that will have no idea what you are talking about if you don't talk to me like I am a button-clicking monkey...

Thanks again for your time.
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36905521
Think outside of vlan for the moment.  In basic terms you are connecting your linksys wireless to a free port on your sonicwall, lets say X5. The linksys should be configured with an ip and DHCP turned off. Wirless clients can connect to the linksys box the sonicwall will supply an ip and keep the traffic seperate from the rest of the your internal network (if I have understood your requirements correctly)

Now setting up the sonicwall is a matter of configuring a zone, we'll call it public_wireless set security as public, configuring an interface selecting X5 as the parent interface and the zone as Public_wireless. Configure a static ip for the interface with dns etc. Then go to dhcp and add a dhcp server, select the zone public_wireless to populate it to. Lastly create a lan to Public_wireless rule for web traffic.
I am doing this from memory so forgive me if I have left anything out. That should be the bones of it
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:CAllenLong
ID: 36910272
The reason I thought I needed a VLAN is because the Linksys Router "Guest Access" is at my desk and the switch is in a server room about 60ft away. I have a dedicated port already for this router. Connecting the Linksys directly to the Sonicwall would be impractical, and I would learn nothing about creating a VLAN with internet access...

Am I asking for the impossible?

0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36910323
Ok learning is one thing, my soltuion will give you the required end result in a secure manner.. Unless I am missing something I can't see the problem with routing the linksys box no matter where it is in your building to the port on the sonicwall. Whether its vlan or zone you still need to run the linksys back to the sonicwall.
0
 

Author Comment

by:CAllenLong
ID: 36911937
I will rephrase the question.

How do I setup a VLAN on a Cisco SG 300-28, Linksys WRT54G Router, and Sonicwall TZ 210 to give users the ability to connect their personal devices to the Linksys and have internet access without being able to connect to the rest of the network.

As many details as possible would be appreciated.
0
 

Author Comment

by:CAllenLong
ID: 36926752
Any chance of getting a second Opinion? On a forum that I have to pay to use I think I can expect to receive a little bit more "spoon feeding" than all the free forums I am also a member of. If I am expecting too much then I guess I am paying too much, as well....
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36926901
Click on the request attention link under your question and that should get you more feed back. I have not used vlans on the sonicwall but can see the TZ210 does not support vlan tagging, there are some ways around this
http://www.experts-exchange.com/Hardware/Networking_Hardware/Q_26006609.html
Best of luck.
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 2000 total points
ID: 36936395
"How do I setup a VLAN on a Cisco SG 300-28, Linksys WRT54G Router, and Sonicwall TZ 210 to give users the ability to connect their personal devices to the Linksys and have internet access without being able to connect to the rest of the network."

1. Configure 3 ports on your SonicWall,  with 3 different subnet IP address ranges, and your desired security policies;  the private LAN belongs in a high security zone,  the two other interfaces WAN and Public WiFi would be lower security.

The subnet/network IP addresses assigned to the three different interfaces on the SonicWall must not be overlapping IP address ranges,  as the SonicWall will need to route between the three networks.

3 ports are to be setup on the SonicWall:
 1 WAN port to be plugged into your ISP provided CPE gear,  e.g.  your ISP's router, cable mode, etc;  this will have a subnet either assigned by your ISP or provided using DHCP, in some cases, configure the interface per your ISP's directives.

 1 Public AP port to be plugged into your SG 300-28 switch.
 1 LAN port to be plugged into your SG 300-28 switch.

[*] Yes, it's true that in some cases a 802.1q VLAN trunk may be possible between a Sonicwall with certain features and a Cisco switch with the proper feature,  that would allow you to use only "two physical ports" on the SonicWall,  but it's neither necessary or proper, from a design, security, or troubleshooting perspective, with a network with such simple requirements.

Edit the configuration of the SG 300-28 switch.

Create a VLAN for your private LAN network on the SG 300-28 switch, utilize a unique vlan id.
Create a VLAN for your  public "WiFi" network on the SG300-28 switch, utilize a unique vlan id.


Place all the ports on your SG300-28 switch in the  "private LAN"  VLAN.
That is check them off as members of the private VLAN with status untagged.

Change the VLAN of the port that you plug your access point in on the switch to the "public LAN" VLAN ID;  that is   turn off their membership in the private VLAN and add them to the "Public WiFi VLAN",  by changing them to  members of the VLAN untagged.

Change the VLAN of the port that you plug your sonicwall's  "public WiFi LAN"  firewall port to the public LAN VLAN ID.

Configure your public WiFi unit to operate in router mode instead of access point mode.
Statically configure both the WAN and LAN settings on this  WRT54G;   the 54G can be a DHCP server for its LAN, but don't let the 54G get any config details for itself using DHCP.

This will help mitigate the risk that someone accidentally unplugs the WRT54G some day and plugs it into the wrong ethernet port;   instead of   the 54G getting a WAN IP address from DHCP, or the WiFi clients being bridged to your private LAN,  in router mode,  the public WiFi network will stop working instead of security being completely compromised.














0
 

Author Comment

by:CAllenLong
ID: 36950715
I will try this today.
0
 

Author Comment

by:CAllenLong
ID: 37114444
Can you explain how to "Configure your public WiFi unit to operate in router mode instead of access point mode. Statically configure both the WAN and LAN settings on this  WRT54G;   the 54G can be a DHCP server for its LAN, but don't let the 54G get any config details for itself using DHCP."?

This is where i get stuck. Thanks.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question