BYOD with Smoothwall and Ruckus

[timbo343]

Ive been trying to get my head around the BYOD, Ruckus and smoothwall setup.

Before i had smoothwall put in i was just testing Ruckus and VLANs which i managed to get working without any problems, now the fun starts when ive added the smoothwall box in.

I have still got the following setup:

Core Switch = 4204vl
Edge switches = various managed hp switches
DHCP = Windows server

So on the main switch i have 4 VLANs where the addresses are been distributed by the windows server. On the switch i have the helper command on each VLAN.
VLAN 1 - Default VLAN (172.16.24.1 - 172.16.31.254)
VLAN 2 - Staff BYOD VLAN (192.168.12.1 - 192.168.15.254)
VLAN 3 - Students BYOD VLAN (192.168.16.1 - 192.168.20.254)
VLAN 4 - Guest VLAN (192.168.24.1 - 192.168.25.254)

I have read that to get things working securely the best thing to do is to setup the smoothwall on say Port 2 (port 1 is for the main network and port 6 is connecting to the router) to give out DHCP addresses. I would most likely be setting the smae values up on the smoothwall box. What would i need to use on the smoothwall box for the IP config of Port 2?

How would this be connected up?
At the moment my ruckus controller is connected in the network from one of the two ports on the controller. Would i need to plug the other port of the ruckus controller into port 2 of the smoothwall box or would i need to plug port 2 of the smoothwall box into the core switch and the 2nd port on the ruckus controller into the core switch and just trunk the 2 ports?

As for setting up the DHCP addresses on the smoothwall, i think i am ok with that (ive only had the box for a week)

I would be most grateful if someone could point me in the write direction.

[robk]

That sounds like my set up. You dont actually have to change any cabling. Just put the Smoothwall box as the default gateway for that vlan and away you go.

[timbo343]

Oh right, thanks, ive got the default gateway for each vlan set as 192.168.x.1 as i though that was how it was supposed to be or do i need to go into the config of the core switch and add the default gateway to each vlan there?

I forgot to add that i have created so ident by location policies and tried to set up transparent proxies with the auth pages but i suppose i need to get my test devices out to the net first before i do any of that.

[robk]

Depending on how your want the routing to work that is doable, just transparent proxy needs the traffic routing thought the smoothy.

[timbo343]

Ok, might be coming back to this thread to update on how its going. Thanks @robk

[free780]

Setting smoothly as the default gateway. Does ssl work? How do you do authentication ?

[timbo343]

@robk

Ive go the following in my core switch:

Code:

hostname "ProCurve Switch 4204vl"
snmp-server contact ""
snmp-server location "Server Room"
max-vlans 256
module 1 type J8768A
module 2 type J9033A
module 3 type J9033A
module 4 type J9033A
ip default-gateway 172.16.24.8
ip routing
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A24,B1-B24,C1-C24,D1-D24
   ip address 172.16.24.24 255.255.248.0
   ip helper-address 172.16.24.4
   ip igmp
   exit
vlan 2
   name "Staff-BYOD"
   ip address 192.168.12.1 255.255.252.0
   ip helper-address 172.16.24.4
   tagged A1,A3-A4,A9,A11,A14
   exit
vlan 3
   name "Stu-BYOD"
   ip address 192.168.16.1 255.255.248.0
   ip helper-address 172.16.24.4
   tagged A1,A3-A4,A9,A11,A14
   exit
vlan 4
   name "Guests_BYOD"
   ip address 192.168.24.1 255.255.255.0
   ip helper-address 172.16.24.4
   tagged A3-A4,A9,A11,A14
   exit
ip route 0.0.0.0 0.0.0.0 172.16.24.8
spanning-tree

On my DHCP ive got STAFF-BYOD = 192.168.12.1 - 192.168.15.254 with 192.168.12.21 as the first lease and got my router set as 172.16.24.8.

Is that right? Ive tried it and im not getting the SSL login page.

[robk]

What's the ips of the smoothwall box?

Is the smoothwall plugged in the core switch or someware else?

You will need to add the Byod vlan to the smoothwall box but its prob easier to do it with the real ips if you can post them.

[timbo343]

What's the ips of the smoothwall box?

Is the smoothwall plugged in the core switch or someware else?

You will need to add the Byod vlan to the smoothwall box but its prob easier to do it with the real ips if you can post them.

The ip of the smoothie port 1 = 172.16.24.8

Port 6 = connection to cisco router

Port 1 is plugged directly into the core switch on A1.

Ive added the ip range to the smoothie within the location settings if thats what you mean?

[robk]

Right, I think I see whats not working.

What I would do is for the staff vlan remove the ip address from the core switch, and put everything on the smoothie. You problably dont want to use the smoothie as DHCP though.

By router do you mean default gateway? If so the default gateway needs to be on the same subnet as the vlan otherwise it can't route out.

You could turn on DHCP relay in smoothwall, (which means the you can turn off the ip on the core switch) You would then enable the smoothwall DHCP service on the interface created shortly.

So rather than having

vlan 2
name "Staff-BYOD"
ip address 192.168.12.1 255.255.252.0
ip helper-address 172.16.24.4
tagged A1,A3-A4,A9,A11,A14
exit

on the core switch do a
vlan 2
no ip address
no dhcp helper-address
exit

The smoothwall box is already the default gateway for the network, so you dont need to fiddle with routing tables.

In smoothwall networking add a virtual interface on Port 1
Tagged vlan 2
ip address 172.16.24.24 subnet 255.255.248.0

And everything should be up and running.

(the core switch doesnt need to have a IP and route traffic, it can just pass the data up to smoothwall to do that.)

Thats how ours is done, though I have smoothie doing DHCP, and some weird routing rules as our smoothwall isnt the default gateway for the core switch.

Any questions feel free to shout.

[timbo343]

Cheers @robk. I shall see if i can get it going this week. Ive got problems with dns at the mo, some reason something's not happy however nothing has changed and got student email addresses to sort out.. the joys.

Many thanks and shall report back on how it goes.

[timbo343]

Ok, ive decided to get the Smoothie to dish out the DHCP addresses which is working all well and good and change the settings on the core switch with the settings you suggested.

On the smoothie i have got:

Networking > Interfaces
Ive created virtual devices on Port 1
so i have got:
Port1 - Main Domain
172.16.24.8
255.255.248.0

port1-1 - BYOD-Staff
192.168.12.1
255.255.252.0

Port1-2 - BYOD-Students
192.168.16.1
255.255.248.0

Services > DHCP Server
BYOD-Staff
Network: 192.168.12.0
Netmask: 255.255.252.0
Default Gateway: 192.168.12.1
Pri DNS: 8.8.8.8
Sec DNS: 8.8.4.4

BYOD-Students
Network: 192.168.16.0
Netmask: 255.255.248.0
Default Gateway: 192.168.16.1
Pri DNS: 8.8.8.8
Sec DNS: 8.8.4.4

Ive got the Auth page on ruckus to display and then when i authenticate fine i cannot get out.

How do i route the traffic from the 192 addresses to the net through the filtering?

[robk]

What sort of Auth is Ruckus doing? Or do you mean the SSL auth page in smoothwall?

Is transparent proxy enabled on the new ports with SSL auth with cookie selected as the auth method.

In fact have you enabled guardian on the new interfaces, theres a set of tickboxes in web filter setup which turns on the service.

I am wondering if we need zone bridging rules to enable DNS, but you should still see the auth page.

Not got a smoothie interface in front of me to confirm where the boxes are... Will see what I can spot when I can log into ours.

[Ashm]

You should be able to use the DNS Proxy service on Smoothwall for providing DNS to the BYOD clients.

Also check that you've allowed External access for the BYOD interfaces, see System » Administration » External access within the Smoothwall admin interface.

As robk says, check that you've set up transparent proxy with SSL auth in the web proxy authentication polices section for the BYOD interfaces.

[robk]

It does depend what DNS servers the smoothwall box is using, DNS proxy might give out internal IPs which some people wouldn't want. However in @timbo343's case I suspect enabling that and changing DNS to the smoothwall IP in DHCP would fix any DNS issues without zone bridging rules.