Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP225 controllerless with two SSID's and two VLANS

This thread has been viewed 0 times

  • 1.  IAP225 controllerless with two SSID's and two VLANS

    Posted Sep 22, 2014 12:34 PM
      |   view attached

    Hi, so we are looking to deploy some IAP225's in controllerless mode with multiple SSID's.

     

    We currently have an internal network 10.201.6.x that is on VLAN 1 of our internal network and have now configured VLAN 2 with the address space of 10.201.5.x which would be our employee personal access network.

     

    The 10.201.6.x network provides DHCP to internal clients while the 10.201.5.x is just a gateway to our DMZ so DHCP is being provided by the IAP with an address space of 192.168.2.x

     

    Clients can connect to both SSID's and get addresses in the respective DHCP scope and the clients that connect to the 10.201.6.x network get full connectivity to our company network - this is as desired.

     

    The issue is that when a client connects to the 192.168.2.x network it gets an address but it looks like traffic ends up back on our internal 10.201.6.x which is not desirable. 

     

    I have changes the "default_wired_port_profile" to be on both VLAN's in trunk mode and brought the profile up as it was marked as down but it looks like there is more that we need to do.

     

    What I would like is for the AP to behave like this:

     

    SSID: Company -> 10.201.6.x with DHCP coming from company network providing full access to corporate network

     

    SSID:Personal -> 192.168.2.x with DHCP from access point providing access to internet with gateway address 10.201.5.1 off corporate firewall.

     

    Both networks traverse a VLAN trunk - currently with VLAN 1 & 2 and VLAN 1 is the native VLAN.

     

    I am attaching our AP config for reference

     

    Thanks in advance for the help

     

    Jack

     

     

    Attachment(s)

    txt
    IAP225.txt   3 KB 1 version


  • 2.  RE: IAP225 controllerless with two SSID's and two VLANS

    Posted Sep 22, 2014 05:04 PM

    Hi, 

    In your config IAP for VLAN2 acts as default GW and simply provides SNAT for every userin this VLAN. You have two options: 

    1. Disable DHCP for VLAN2 at IAP and create it somewhere in your net - then your corporate firewall would filter all the traffic

    2. Create firewall policy that disallows any traffic from VLAN2 to your corporate net

    HTH

    Marek 



  • 3.  RE: IAP225 controllerless with two SSID's and two VLANS

    Posted Sep 22, 2014 07:32 PM
    So there is no way to configure each ssid/vlan as separate address spaces on two networks?

    That seems odd if I can trunk the vlans over This e-mail (and any attachments) are subject to terms set forth at http://www.newoak.com/emaildisclaimer.htm Thank-you, http://www.newoak.com


  • 4.  RE: IAP225 controllerless with two SSID's and two VLANS
    Best Answer

    Posted Sep 23, 2014 01:30 PM

    Absoultely you can do that. Connect IAP to trunk whit external DHCP/router/firewall or use firewall policies in IAP to separate traffic.