Product: ScreenOS Version: Tested Version 6 and up
Network Topology: Connecting WAP to SSG port ethernet0/6 This removes ethernet0/6 from the default trust bgroup0 for isolation
Description: Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall. Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.
Attachement is PDF file with web UI screen shots
Configuration: 1.Create guestwifi security zone set zone name guestwifi
2.Remove etherent0/6 from bgroup0 unset interface bgroup0 port ethernet0/6
3.Assign ethernet0/6 to wifi zone and give ip address 172.16.1.1/24 set interface ethernet0/6 zone guestwifi set interface ethernet0/6 ip 172.16.1.1/24
4.Create policy from guestwifi to untrust with nat for internet access set policy name GuestWifi from guestwifi to untrust any any any nat src permit
5.Create dhcp server on guestwifi zone (only if this is not provided on external WAP) set interface ethernet0/6 dhcp server service set interface ethernet0/6 dhcp server auto set interface ethernet0/6 dhcp server option gateway 172.16.1.1 set interface ethernet0/6 dhcp server option netmask 255.255.255.0 set interface ethernet0/6 dhcp server option dns1 a.b.c.d set interface ethernet0/6 dhcp server ip 172.16.1.10 to 172.16.1.99
Configure external WAP with 172.16.1.2/24 address and a default gateway of 172.16.1.1 or set the device to dhcp if supported
Configure the desired wireless security settings on the WAP
Verification: Connect on the new wireless segment and confirm internet access.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home