Configuration Library
Configuration Library

ScreenOS: Configure Guest External WAP Segment

‎11-23-2010 06:58 PM

Product:  ScreenOS
Version:  Tested Version 6 and up

Network Topology:
Connecting WAP to SSG port ethernet0/6
This removes ethernet0/6 from the default trust bgroup0 for isolation

Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall.  Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.


Attachement is PDF file with web UI screen shots

1.Create guestwifi security zone
set zone name guestwifi

2.Remove etherent0/6 from bgroup0
unset interface bgroup0 port ethernet0/6

3.Assign ethernet0/6 to wifi zone and give ip address
set interface ethernet0/6 zone guestwifi
set interface ethernet0/6 ip

4.Create policy from guestwifi to untrust with nat for internet access
set policy name GuestWifi from guestwifi to untrust any any any nat src permit

5.Create dhcp server on guestwifi zone (only if this is not provided on external WAP)
set interface ethernet0/6 dhcp server service
set interface ethernet0/6 dhcp server auto
set interface ethernet0/6 dhcp server option gateway
set interface ethernet0/6 dhcp server option netmask
set interface ethernet0/6 dhcp server option dns1 a.b.c.d
set interface ethernet0/6 dhcp server ip to

6.WAP Configuration:

  • Configure external WAP with address and a default gateway of
    or set the device to dhcp if supported
  • Configure the desired wireless security settings on the WAP

Connect on the new wireless segment and confirm internet access.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)