Configuring Wireless Hotspot using two access points and Allied Telesis  Switch

Posted on 2013-01-15
Last Modified: 2013-11-12
Hi Experts

My Supervisor has asked that I make a plan to configure a Public Wireless connection, Hotspot so to speak for Staff and Guest to use for their personal devices such as Iphones if possible.  We currently have two Allied Telesis Switches and two Proxiam Access Points that are patched to one of the two Switches, allowing Wireless thought our Fiber Internet Connection. Our Windows 2003 Server is the DHCP for all connections.

I need to know in somewhat step by step, how I can setup a Public Wireless Access and keep the private Wireless Access for say our Laptops also, via the Switch using VLANs, I'm presuming.

I'm not sure how to go about this setup. We want the Public Wireless to NOT have any access to our Private Network Wired or Wireless of course.

Any steps or links to steps would be appreciated.

Thanks in Advance
Question by:CATHY-IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 30

Expert Comment

ID: 38779321
does your wireless ap allow a wifi vlan
LVL 46

Expert Comment

by:Craig Beck
ID: 38780482
If you want something simple look at Zyxel's N4100 Hotspot router.  It'll do exactly what you need as it has public and private ports.  It's really easy to set up.

Author Comment

ID: 38782471
I'm not sure IanTh about that.. They are ProXim AP-700 V4.0.12 (1335) and I failed to mention our Router is a Sonicwall TZ-210 with security suite licenses.

I will google these Zyxel's....
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.


Author Comment

ID: 38835546
I'm hoping I can Use the hardware I already have and still not sure the best way to go about this. We'd like the Wi-Fi to still go through our Sonicwall router as it has the Content Filtering and Gateway security

Author Comment

ID: 38879961
I still do not know how to setup a VLAN using our Telesis AG-8000GS/24POE - that the two ProXim AP-700 access points are patched to, along with the additonal AG-8000GS/48port Switch since 24port was not enough for all our Network needs.  Note.. all devices connect to the internet via our SonicWall TZ-210 Gateway Router. Our Server is a Windows Server 2003 a this time.

I want to create a Wireless hotspot that is Public Use and thus not able to access our internal network. I get the idea in theory, but I do know exactly how to go about it.  I would still like Network users to be able to Use a Wireless connection to connect to our Server also. I was also hoping to be able to setup an additional Wired VLAN that would give me a Segment to Use for a Test lab in my office, that again has Internet access, but no access to our Main Network.

Perhaps I have this question posted in the wrong area.
LVL 47

Expert Comment

ID: 38880432
You need to buy wireless routers designed for such a purpose.  You want to use the same SSID no matter where you are on the campus and have something with the intelligence so they can be programmed to recognize the MAC IDs of your employees and deal with logging in and granting access to services based on this additional layer. That way you can separate the employees from guests and you have two layers of authentication.

The consumer class routers have no security to speak of and you are just looking for trouble.

Check out   They have a wide range of products that scale from exactly what you are looking for to solutions that handle college campuses.  I've used them to do a few schools that were pretty spread out and price is pretty fair.

Author Comment

ID: 38880616
So you are saying I can NOT create the VLANs and separate as I hope to using the Hardware that I have right now?   we are not a campus and I have no issue with having two SSIDs, as I figured we would have at least two Corp and Guest.

Author Comment

ID: 38880661
what if I obtain another "third" Proxim access point and plug it directly into the back of our SonicWall TZ210 port two -X2  and thus assign its own Static IP of a different subnet than our Private Network and NOT bridged to our LAN and use this Wireless AP for Guest/Public Use?

Leaving the original two APs we have patched to our Switch physically as they are, but can I setup NAC/Rules that only Units with say " member of our Domain" and Anti-Virus can have access to this Wireless, plus they'd need the WPA2 Key

Does this make any sense? I am trying to keep it simple..
LVL 47

Expert Comment

ID: 38880733
yes, as long as the SSID is unique

Author Comment

ID: 38881030
OK... I think that's what I'll suggest to my Supervisor for the Public access Wi-fi.. keeps it simply and isolated and I can shutter down easily enough if ever needed.

Forgive me if I'm babbling or sounding simple, but I like talk things out so I'm sure i get the right picture and then I need to know exactly what to configure as to not disturb our network and of course keep it secure, whether wired or wireless.

Now in order to filter who can use the Corp (current) SSID,  Wondering perhaps it would be simpliest to just add the MAC addresses for the Wireless NICs of our Corporate laptops and Blackberrys?  which if I understand correctly , I would still need to create a VLAN within the Switch GUI to place those MACs I've added into the MAC base ACL and map this VLAN  to the ports on the Switch that the APs plugged into?  Or would some other form of NAC/ACL work better?

My understanding being that Users will still need the WPA2 key but at least they couldn't use it on an unauthorized device, as we are also in the mids of creating a BYOD policy. this would force them to use the public Wifi connection for all other devices if they want Internet access.
LVL 44

Expert Comment

ID: 38882348
If you get the ZyXEL N4100 with the SP-300E Printer as recommended by craigbeck way back in http:#a38780482 (though he didn't mention the printer... the N4100 by itself is about $100 less), you can print out temporary credentials so you don't have to worry about unauthorized guests using your bandwidth for illegal purposes from, say, the parking lot.

Author Comment

ID: 38884475
Forgive me if I'm missing the point.... I was told that I have all the hardware I need to do all that I want to do, but I do not know How to do it.

The Idea to get another Access Point and plug into Our TZ-210 Sonicwall Router for Guest Use, was an after thought only after "Dlethe" mentioned getting a Wireless Router - I was trying to figure out why I've been suggested twice to get Another Router.  The reason I'd prefer to place an AP onto my SonicWall instead of getting another Router, is that we have the Full Security Suite on the Sonicwall that has Content Filtering along with Gateway Anti-virus and Spyware protect.  So I still do not understand why I'd need another Wireless Router, why wouldn't a simply AP with built in DHCP work for the same purpose behind our Sonicwall Router?  

 I was planning on having a password on the Guest Wifi to help prevent unauthorized Use of it and changing it periodically, from like you said the Parking Lot.

Assuming above is doable as I thought.. my concern now is unauthorized Devices being on the Corp Wifi connection using our Current AP's and I believe I have the hardware I need to create Acccess Rules.. just don't know HOW to do it....

Accepted Solution

CATHY-IT earned 0 total points
ID: 38996135
I ended up consulting with an outside company and got some help on setting up VLANs. I was able to use the hardware I already have (no new Router needed) and add two addtional AP to create the Public Wi-fi I needed and still have a Corp Wi-Fi as well - the simplier route.

I ended up setting up an additional LAN using the X2 port on the back of Sonicwall Router that is not in use, in my case none of the extra ports on our Sonicwall TZ210 where in use. I had to go to the Sonicwall and Create a new Zone for this X2 Port and give it a name and I setup a Static IP for it, along with enabling DHCP on this Zone only. I using the VLAN options on the Allied Tellesis GUI to configure Ports on the switch that would be used by this X2 connection only and no traffic from these ports could see our Corp LAN on X1 VLAN 1.

 I needed one port on the Switch to be essentially the gateway from Allied Telesis Switch to X2 Port on the Sonic Wall, then I setup a few more to be used by Hardware devices such as Desktop/Laptops patched to a certain wall port in our Office (My Test Lab). I also put two other ports into this VLAN that the two new Access Points plug into (Public Wi-Fi), again this will isolate them from our Corp Network both wired and Wireless, since our other AP where on the default VLAN 1. and give this network its own IP subnet and DHCP service. Using Sonicwall's Zones options I was able to have it prompt for Users Acceptance and I put the Zones under our Content Filters, Gateway Anti-virus and Spyware protection along with the Intrusion protection as well.

Thank you Experts for your efforts..

Author Closing Comment

ID: 39013469
Thank you!

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Folder Redirection GPO 8 52
gawk solution to extract this ? 2 20
Slow running of Windows 10 laptop 18 57
Group Policy - Setting deafult Home Page 3 24
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question