VLAN help on AP with multiple SSIDs

Good evening folks,

I need to do the following, and we are not going to purchase cisco equipment to do it:

Access point with two SSIDs.  One is public and other is private.  public needs to NOT see anything but internet, and also serve as a DHCP server for clients connected to public.  Private network can see everything, servers, printers and whatnot, addresses are handed out by server's DHCP.

am I asking too much?  I know there are some APs out there that can serve as access points and DHCP servers at the same time.

now onto the VLAN.  if i setup the router's port that my ap is connected to with a vlan id than only traffic between the two IDs is permitted right?  So my "private" ssid (not on vlan) won't be able to talk through that switch port??  Am I thinking about this correctly?

this is a new topic to me, so a little confused.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This can easily be done with an advanced router such as Cisco, but that option is ruled out since you don't want to purchase  new Cisco stuff.

Now, what kind of an environment are you in? Do you have a spare Computer with dual NIC cards that you could install Windows Server onto it? For example Windows Server 2003 or later can do it.

At some point you have to have a switch that supports VLANs, and maybe two regular wireless Access Points.
One more thing... I mentioned two Access Point simply because I assumed you don't have one of those expensive Cisco Aeronet AP's that support multiple SSID and VLAN Support. if you do then One of them will do it.
mrjking2000Author Commented:
hmm, okay so now i understand the trend for cisco.  The environment has a SBS 2008 server, watchguard firewall with built in 4 port switch, dlink 24 port switch, and a terminal server.

if the watchdog firewall supports VLANs and the access point, for example engenius EAP-3660 seems to be able to handle multiple ssids, dhcp on the device, one could just enable the public SSID with a vlan tag of 2, and the firewall port with vlan tag 2 and it could work??  What about the private ssid?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Rick HobbsRETIREDCommented:
What is the manuf/model# of the AP you have?
mrjking2000Author Commented:
would like to use the engenius EAP-3660 for indoor and maybe EOC-5611p for outdoor aps.
Well in that case most of the configuration is going to happen in Watchguard. To be honest I've heard many good things about WatchGuard, but I personally have never worked with them. I'm sure it supports ACL (access List) and Route Maps. Again I'm using the Cisco equivalent terminology and I'm sure they are universal and WatchGuard calls them the same thing

at this point you make the decision. If you AP supports multiple SSIDs and each SSID can be tagged with Different VLAN then you are good to go. you will create two VLANs for your entire network, and the Internal SSID will be part of the internal VLAN and the other will be for the Outside Intenet only. Once you set that up you control the traffic with ACL from your WatchGuard.

Now the same will be applied to the two AP setup where one AP will be part of the internal VLAN and the other will be seperate and both will be connected to their appropriate VLANs. In this case you might not even need VLANs. Since your internal AP can be connected to your D-Link and the other one to one of the Switchport of the WatchGuard.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick HobbsRETIREDCommented:
The engenius EAP-3660 supports VLAN tagging.  Add a second card in your server and configure it for VLAN2. Setup the firewall to forward all traffic on VLAN2 to and from your internet port only. Put your internal devices on VLAN1 and the external devices on VLAN2 and you should be in business.
The easiest way is indeed to configure vlans on the SSIDs and on the watchguard accordingly, make two rules with needed protocols/services:

from = vlan1(trusted)
to= any-trusted & any-external

and another one for the guests:

from= vlan2(guests)
to= any-external

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.