VLAN help on AP with multiple SSIDs

Good evening folks,

I need to do the following, and we are not going to purchase cisco equipment to do it:

Access point with two SSIDs.  One is public and other is private.  public needs to NOT see anything but internet, and also serve as a DHCP server for clients connected to public.  Private network can see everything, servers, printers and whatnot, addresses are handed out by server's DHCP.

am I asking too much?  I know there are some APs out there that can serve as access points and DHCP servers at the same time.

now onto the VLAN.  if i setup the router's port that my ap is connected to with a vlan id than only traffic between the two IDs is permitted right?  So my "private" ssid (not on vlan) won't be able to talk through that switch port??  Am I thinking about this correctly?

this is a new topic to me, so a little confused.
Who is Participating?
emilgasConnect With a Mentor Commented:
Well in that case most of the configuration is going to happen in Watchguard. To be honest I've heard many good things about WatchGuard, but I personally have never worked with them. I'm sure it supports ACL (access List) and Route Maps. Again I'm using the Cisco equivalent terminology and I'm sure they are universal and WatchGuard calls them the same thing

at this point you make the decision. If you AP supports multiple SSIDs and each SSID can be tagged with Different VLAN then you are good to go. you will create two VLANs for your entire network, and the Internal SSID will be part of the internal VLAN and the other will be for the Outside Intenet only. Once you set that up you control the traffic with ACL from your WatchGuard.

Now the same will be applied to the two AP setup where one AP will be part of the internal VLAN and the other will be seperate and both will be connected to their appropriate VLANs. In this case you might not even need VLANs. Since your internal AP can be connected to your D-Link and the other one to one of the Switchport of the WatchGuard.
This can easily be done with an advanced router such as Cisco, but that option is ruled out since you don't want to purchase  new Cisco stuff.

Now, what kind of an environment are you in? Do you have a spare Computer with dual NIC cards that you could install Windows Server onto it? For example Windows Server 2003 or later can do it.

At some point you have to have a switch that supports VLANs, and maybe two regular wireless Access Points.
One more thing... I mentioned two Access Point simply because I assumed you don't have one of those expensive Cisco Aeronet AP's that support multiple SSID and VLAN Support. if you do then One of them will do it.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

mrjking2000Author Commented:
hmm, okay so now i understand the trend for cisco.  The environment has a SBS 2008 server, watchguard firewall with built in 4 port switch, dlink 24 port switch, and a terminal server.

if the watchdog firewall supports VLANs and the access point, for example engenius EAP-3660 seems to be able to handle multiple ssids, dhcp on the device, one could just enable the public SSID with a vlan tag of 2, and the firewall port with vlan tag 2 and it could work??  What about the private ssid?
Rick HobbsRETIREDCommented:
What is the manuf/model# of the AP you have?
mrjking2000Author Commented:
would like to use the engenius EAP-3660 for indoor and maybe EOC-5611p for outdoor aps.
Rick HobbsRETIREDCommented:
The engenius EAP-3660 supports VLAN tagging.  Add a second card in your server and configure it for VLAN2. Setup the firewall to forward all traffic on VLAN2 to and from your internet port only. Put your internal devices on VLAN1 and the external devices on VLAN2 and you should be in business.
setasoujiroConnect With a Mentor Commented:
The easiest way is indeed to configure vlans on the SSIDs and on the watchguard accordingly, make two rules with needed protocols/services:

from = vlan1(trusted)
to= any-trusted & any-external

and another one for the guests:

from= vlan2(guests)
to= any-external

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.