sonic wall with public access

Posted on 2013-01-29
Medium Priority
Last Modified: 2013-02-01
i have a new network to try and setup via verizon fios.  i have the feed coming out of the verizon fios router going directly into a sonicwall TZ 180 W 25 NODE device.  coming out of the lan on the back of the sonic wall i go to a 16 port switch and each switch to a different terminal in the store and a few pc's.  the pcs access the internet and the lan network perfectly but my question is how to get public wifi setup as well.  i purchased a linksys wireless n router and a netgear accesspoint (in case i need to extend it).   what port should i come out of the sonic wall with, and how do i set it up so it is a separate publice wifi and not able to get to the lan network?  thanks so much
Question by:StewartGilligan
  • 5
  • 3

Expert Comment

ID: 38834449
if you have enough ports on the switch to spare:
configure vlan on the switch.
-> 2 vlans (VLAN 2 and VLAN 3); one for your environment(2) and one for public wifi(3).
1 vlan port from the VLAN 3 on the switch then goes into a third interface on the sonicwall, which you will need to configure as a new zone, able to access the internet (you wil need to set up new rules for this zone as well)

if you do not have switch ports to spare:
buy a new switch(a 5 or 8-port switch would suffice for that)
do NOT connect it to the existing switch.
connect it to a third interface on the sonicwall and configure it as new zone (see above)


Author Comment

ID: 38838340
now im confused.  im sure i worded it wrong and i need real layman's explanation :(  i enclosed a picture of my verizon fios box and the switches etc set up now.  im trying to get public wifi separate from the lan.
 thanks :-(

ps  attached is a picture of my bee's nest :-(

Expert Comment

ID: 38838612
ok, as i take it the verizon is your gateway.

there are still free lan ports on it.

is the sonicwall connected to the verizon via the sonicwall's WAN interface or on the LAN interface?
i suspect it is the WAN interface?

if yes:
is the WAN zone on the sonicwall configured to let all inbound traffic through?

if no the easy way is this:
buy another small switch (whatever you need to connect all your wifi devices)
connect it to one of the free LAN ports on the verizon
configure wifi devices
connect all wifi devices to the switch

drawback: you need yourself to be connected to that switch in order to configure the wifi properly, or you configure it before you connect them to the new switch.

set this up like i said and you'll have a perfectly separated wifi-network from your own (but only if the sonicwall's WAN interface is the one connected to the verizon and also denies inbound traffic)

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!


Author Comment

ID: 38842030
thank you wshty, ill try :(

Author Comment

ID: 38842398
ok before i tried anything, a friend had me log on the sonicwall and use thw wlan wireless wizard. i just "ok'd" through everything and now i can connect wireless??!!  is this wifi section of the sonicwall tz180 secured from the lan section??  can i run an access point off the sonic wall to enhance the range.  as you can see i am very green in this area and any enlightenment is so appreciated :-)  thanks

Accepted Solution

wshty earned 2000 total points
ID: 38843052
hi stewart,

sorry, it is always difficult to remotely analyze anothers' situation, but i'll try.

ok, first: yes the sonicwall tz180 "W" (W is for wireless) has its own Wireless Lan integrated.
if you ran the wizard, then sonicwall automatically adds a new zone.
the Wireless Lan runs in a different subnet/iprange (different from the LAN range)
yes, you also can run all other accesspoints from this zone.

If you go into your sonicwall -> Firewall -> Access Rule
Klick on the "matrix" view.

it should look like this:
Sonicwall Access rules
on the left you see "from"
and on the top you can see "to"

in your case you should have the zones "LAN", "WAN", "VPN", "WLAN" and maybe "SSLVPN"

this matrix includes all firewall rules which are configured on the sonicwall, but separated by the direction of the traffic and its zone.
from your wired computer you want to browse a website on the internet and you cannot right now, then you need to create a new access rule.
for this you need to know where the traffic flows to.
in this example the traffic would flow from "LAN" to "WAN" search for the button in the matrix and click on it.
in your case there would already be an HTTP or HTTPS rule present because you can already browse the web.
there could be an "any" rule though - which means that every kind of OUTGOING traffic is let through.

please note:
generally, traffic from "WAN" to "LAN" should be denied.
i.e.: you do not need to create an additional rule for http or https thinking that if the website traffic is allowed out there must come something back also (downloads, cache, etc)
-> the firewall can handle this kind of traffic
only traffic  _initiated_  by something from the internet is not let through (which is as it should be, unless you have webmail, or websites on your intranet (but this is a story for another time .. ;-)  )

but let's get back to running all accesspoints from the sonicwall:
in order to make sure that absolutely NO traffic flows from LAn to WLAN or the other way around you need to create two access rules.
1. deny access for any port/service from wlan subnets to lan subnets
2. deny access for any port/service from lan subnets to wlan subnets

the rules may have been created automatically while running the wizard.

running other accesspoints via this zone:

first: configure the accesspoints
(give them static ip addresses in the same subnet as the WLAN zone is, but NOT within the DHCP range of it;
also disable DHCP;
configure the same SSID as you have configured on the sonicwall;
give the accesspoints' WLAN a different channel (for 3 accesspoints i would suggest 1 AP with channel1, 1 AP wioth channel 6, and 1 AP with channel 12; this is best, due to overlapping frequenzy in the channels))

if you configured your APs them you need to configure the sonicwall interface
go to network -> interfaces and configure an unused interface
change it to WLAN zone and give it a static ip address /subnet.
leave the rest to default.

you can do this with another interface for the second AP, or connect a switch to this one interface and connect both aps to the switch, your choice.

finished (i hope..) :-)


Author Comment

ID: 38843777
wshty, you are sooooo soooo helpful & patient!   if i cant figure it from all your excellent advice then i dont deserve to have public wifi!!  thank you again..

Author Closing Comment

ID: 38843782
great great help and very patient with someone green like me :-)

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question