My guest WiFi solution

Posted: 28th November 2012 by Seth Killey in WiFi

I recently needed to come up with a cost effective, open guest WiFi solution.  My requirements were that the guest WiFi be completely isolated from the corporate network and filter web traffic through our proxy server according to corporate web usage policies.  Using our existing layer 2 Dell switches, our Smoothwall UTM 1000 router, and a new D-Link DAP-2310 access point, I was able to do all of the above.

The DAP-2310 allows you to configure multiple SSIDs and then assign VLANs to those SSIDs so I could have the primary SSID for our corporate WiFi and then assign the Guest WiFi SSID to a different VLAN.  Essentially you get something like this for VLAN settings. S-1 is the virtual port for my secondary guest SSID

 

 

 

 

 

 

 

 

 

 

 

 

Next up, you tag all relevant upstream layer 2 switch ports with the guest VLAN ID.  The connection between the LAN port on the DAP-2310 and the LAN port on the layer 2 switch are tagged, as well as the uplink port to the next upstream switch.  Finally, on my Smoothwall UTM, I created a new LAN cable connection to an extra available NIC on Smoothwall and connected it to a guest VLAN tagged port on my core switch.  On Smoothwall you’ll need to configure the new NIC with the guest VLAN tag and assign an IP.  One thing that threw me off is even though the physical NIC is displayed and would seemingly not need to be configured further outside the VLAN settings, you in fact do need to assign an IP address for both the physical NIC and the newly created VLAN NIC.  Furthermore, you must designate the interface as “internal”.

That in a nutshell is the basis for my guest WiFi network.  For further fine tuning, I used my Smoothwall to function as the DHCP server for my guest WiFi, assigning public DNS servers and internal IP addresses based on a range.  You could also do this at the DAP-2310 level, but I figured it would be easier to do it on my router so when I add additional access points it will be centrally managed.  For my proxy, I configured all traffic on the guest VLAN to go through the Smoothwall proxy transparently so regardless of client browser settings all sessions must go through the proxy.