sonic wall with public access

i have a new network to try and setup via verizon fios.  i have the feed coming out of the verizon fios router going directly into a sonicwall TZ 180 W 25 NODE device.  coming out of the lan on the back of the sonic wall i go to a 16 port switch and each switch to a different terminal in the store and a few pc's.  the pcs access the internet and the lan network perfectly but my question is how to get public wifi setup as well.  i purchased a linksys wireless n router and a netgear accesspoint (in case i need to extend it).   what port should i come out of the sonic wall with, and how do i set it up so it is a separate publice wifi and not able to get to the lan network?  thanks so much
Who is Participating?

Improve company productivity with a Business Account.Sign Up

wshtyConnect With a Mentor Commented:
hi stewart,

sorry, it is always difficult to remotely analyze anothers' situation, but i'll try.

ok, first: yes the sonicwall tz180 "W" (W is for wireless) has its own Wireless Lan integrated.
if you ran the wizard, then sonicwall automatically adds a new zone.
the Wireless Lan runs in a different subnet/iprange (different from the LAN range)
yes, you also can run all other accesspoints from this zone.

If you go into your sonicwall -> Firewall -> Access Rule
Klick on the "matrix" view.

it should look like this:
Sonicwall Access rules
on the left you see "from"
and on the top you can see "to"

in your case you should have the zones "LAN", "WAN", "VPN", "WLAN" and maybe "SSLVPN"

this matrix includes all firewall rules which are configured on the sonicwall, but separated by the direction of the traffic and its zone.
from your wired computer you want to browse a website on the internet and you cannot right now, then you need to create a new access rule.
for this you need to know where the traffic flows to.
in this example the traffic would flow from "LAN" to "WAN" search for the button in the matrix and click on it.
in your case there would already be an HTTP or HTTPS rule present because you can already browse the web.
there could be an "any" rule though - which means that every kind of OUTGOING traffic is let through.

please note:
generally, traffic from "WAN" to "LAN" should be denied.
i.e.: you do not need to create an additional rule for http or https thinking that if the website traffic is allowed out there must come something back also (downloads, cache, etc)
-> the firewall can handle this kind of traffic
only traffic  _initiated_  by something from the internet is not let through (which is as it should be, unless you have webmail, or websites on your intranet (but this is a story for another time .. ;-)  )

but let's get back to running all accesspoints from the sonicwall:
in order to make sure that absolutely NO traffic flows from LAn to WLAN or the other way around you need to create two access rules.
1. deny access for any port/service from wlan subnets to lan subnets
2. deny access for any port/service from lan subnets to wlan subnets

the rules may have been created automatically while running the wizard.

running other accesspoints via this zone:

first: configure the accesspoints
(give them static ip addresses in the same subnet as the WLAN zone is, but NOT within the DHCP range of it;
also disable DHCP;
configure the same SSID as you have configured on the sonicwall;
give the accesspoints' WLAN a different channel (for 3 accesspoints i would suggest 1 AP with channel1, 1 AP wioth channel 6, and 1 AP with channel 12; this is best, due to overlapping frequenzy in the channels))

if you configured your APs them you need to configure the sonicwall interface
go to network -> interfaces and configure an unused interface
change it to WLAN zone and give it a static ip address /subnet.
leave the rest to default.

you can do this with another interface for the second AP, or connect a switch to this one interface and connect both aps to the switch, your choice.

finished (i hope..) :-)

if you have enough ports on the switch to spare:
configure vlan on the switch.
-> 2 vlans (VLAN 2 and VLAN 3); one for your environment(2) and one for public wifi(3).
1 vlan port from the VLAN 3 on the switch then goes into a third interface on the sonicwall, which you will need to configure as a new zone, able to access the internet (you wil need to set up new rules for this zone as well)

if you do not have switch ports to spare:
buy a new switch(a 5 or 8-port switch would suffice for that)
do NOT connect it to the existing switch.
connect it to a third interface on the sonicwall and configure it as new zone (see above)

StewartGilliganAuthor Commented:
now im confused.  im sure i worded it wrong and i need real layman's explanation :(  i enclosed a picture of my verizon fios box and the switches etc set up now.  im trying to get public wifi separate from the lan.
 thanks :-(

ps  attached is a picture of my bee's nest :-(
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

ok, as i take it the verizon is your gateway.

there are still free lan ports on it.

is the sonicwall connected to the verizon via the sonicwall's WAN interface or on the LAN interface?
i suspect it is the WAN interface?

if yes:
is the WAN zone on the sonicwall configured to let all inbound traffic through?

if no the easy way is this:
buy another small switch (whatever you need to connect all your wifi devices)
connect it to one of the free LAN ports on the verizon
configure wifi devices
connect all wifi devices to the switch

drawback: you need yourself to be connected to that switch in order to configure the wifi properly, or you configure it before you connect them to the new switch.

set this up like i said and you'll have a perfectly separated wifi-network from your own (but only if the sonicwall's WAN interface is the one connected to the verizon and also denies inbound traffic)

StewartGilliganAuthor Commented:
thank you wshty, ill try :(
StewartGilliganAuthor Commented:
ok before i tried anything, a friend had me log on the sonicwall and use thw wlan wireless wizard. i just "ok'd" through everything and now i can connect wireless??!!  is this wifi section of the sonicwall tz180 secured from the lan section??  can i run an access point off the sonic wall to enhance the range.  as you can see i am very green in this area and any enlightenment is so appreciated :-)  thanks
StewartGilliganAuthor Commented:
wshty, you are sooooo soooo helpful & patient!   if i cant figure it from all your excellent advice then i dont deserve to have public wifi!!  thank you again..
StewartGilliganAuthor Commented:
great great help and very patient with someone green like me :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.