Configuration Library
Highlighted
Configuration Library

ScreenOS: Configure Guest External WAP Segment

‎11-23-2010 06:58 PM

Product:  ScreenOS
Version:  Tested Version 6 and up


Network Topology:
Connecting WAP to SSG port ethernet0/6
This removes ethernet0/6 from the default trust bgroup0 for isolation


Description:
Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall.  Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.

 

Attachement is PDF file with web UI screen shots


Configuration:
1.Create guestwifi security zone
set zone name guestwifi

2.Remove etherent0/6 from bgroup0
unset interface bgroup0 port ethernet0/6


3.Assign ethernet0/6 to wifi zone and give ip address 172.16.1.1/24
set interface ethernet0/6 zone guestwifi
set interface ethernet0/6 ip 172.16.1.1/24

4.Create policy from guestwifi to untrust with nat for internet access
set policy name GuestWifi from guestwifi to untrust any any any nat src permit

5.Create dhcp server on guestwifi zone (only if this is not provided on external WAP)
set interface ethernet0/6 dhcp server service
set interface ethernet0/6 dhcp server auto
set interface ethernet0/6 dhcp server option gateway 172.16.1.1
set interface ethernet0/6 dhcp server option netmask 255.255.255.0
set interface ethernet0/6 dhcp server option dns1 a.b.c.d
set interface ethernet0/6 dhcp server ip 172.16.1.10 to 172.16.1.99

6.WAP Configuration:

  • Configure external WAP with 172.16.1.2/24 address and a default gateway of 172.16.1.1
    or set the device to dhcp if supported
  • Configure the desired wireless security settings on the WAP

Verification:
Connect on the new wireless segment and confirm internet access.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home

Attachments

Feedback