Wireless Networks Thread, Guest VLANS + Guest Wifi - Different IP Range, Out to Filtered Internet in Technical; Hi,
In my head I know what I want.... putting it all together I'm not 100% sure on! I will ...
Guest VLANS + Guest Wifi - Different IP Range, Out to Filtered Internet
In my head I know what I want.... putting it all together I'm not 100% sure on! I will try and expalin as best as I can, and hopefully somebody will guide me in the correct directions.
I would like to setup:-
Guest WiFi Access for Students to connect their own devices
Guest Users to be on a totally different IP Range to what the school network runs on, for added security
Students to be able to authenticate to the WiFi using there Active Directory user names and passwords
Gain access to the Internet via the Proxy Server, which would sit on the schools IP Range
Have the one DHCP server, but with two scopes, 1 for 172.16.x.x (School Network) and 1 for 192.168.x.x (Guest Wifi)
It sounds so simple, is all the above possible??.
We have a Smoothwall Proxy Server running G3, Ruckus Wireless, D-Link Smart Switches (DGS-1216T, DGS-1224T, DGS-1248T) - Windows Server 2003 / Active Directory
I have setup a test switch, and have created on it a VLAN for Guests, I have also created a Guest WiFi SSID, and put a tag on it for the Guest VLAN, I have setup a temp DHCP server to fire out IP Address on a different range, and that seems to be working... School WiFi I gte a 172.16.x.x address, Guest WiFi I get a 192.168.x.x address
I obvioulsy need to do something to the uplinks on each switch port for this to work across all switches (I only have it running on 1 test switch at the mo)... I will also need to do something I'm guessing on the port of the switch where the Ruckus ZoneDirector sits?
Would I need to install another Network Card in the DHCP server with an IP Address for the 192.168.x.x, Would I also need another network card in the Smoothwall Server for the 192.168.x.x
How would the Wireless Guests/Students authenticate to the Active Directory if thats on the 172.16 and they will be on the 192.168.x.x
Any hints/tips/guides would be gratefully recieved... I have looked across many forum postin and websites, and whilst some things have been useful alot has been no help in the particular setup
We have Smoothwall G3 + Ruckus here and guest wifi is working great.
Basically the way we have done it is we have a guest wifi WLAN on our Ruckus wireless which tags traffic on that WLAN to the isolated guest VLAN we have set up on the switches. We then have the guest VLAN set up as another interface on our Smoothwall box. The Smoothwall box is set to dish out DHCP on the guest VLAN and has SSL Login page proxy authentication set.
And that's pretty much all there is to it so when students connect their own devices to the guest VLAN they get an IP from the Smoothwall box and then when they open their internet browser and try to access a website they get the SSL Login page, they then type their AD credentials and then they get filtered as they normally would.
The nice thing with Smoothwall handling DHCP & DNS is the guest traffic doesn't touch your main windows network.
We currently have the guest network as an open network so no we don't "see" the guests as such. We can see their IP & Mac address on the ZoneDirector web interface but to see who's logged into the proxy we have to check the SW box. But obviously we can link the device and user by looking at logs if necessary.
You could set up radius/AD authentication on the ZoneDirector for the Guest network so the students would need to enter their AD Credentials before they can join the guest WLAN and this would let you see who's logged on via Ruckus. But then they would have to enter their AD login for smoothwall as well unless you did a general SW filtering policy for all users on the guest WLAN.
You can find DHCP in Smoothwall under the Services menu and then just enable it for the guest VLAN interface.
Last edited by Ashm; 1st February 2012 at 08:50 AM.
Our Smoothwall doesn't have the DHCP option under services, I think that is only available on the Smoothguardian + Firewall setup?? We have just got the Smoothwall Network Guardian, Guardian Web Security.
I'll see how much a bolt for it would be, otherwise I'll just setup an old box to act as a DHCP Server for that VLAN.
I've had a play around today... got preety close to it working but not all the way... I used the DHCP coming off the ADSL router, on the VLAN for the Guests, and had the Network cable from the Smoothwall Box on the same 192. interface going into that VLAN, I could connect to the guest network, it would redirect me to the Ruckus pages tell me it's redirecting, then let me straight out onto the internet with no Filter... it couldn't go via the smoothwall.
I've setup Transparent Proxy filter...
I think I need to maybe switch off DHCP on the ADSL router, pop a DHCP/DNS server in between and point the default gateway to the Smoothwall Box on the 192.x interface, so that it will then redirect me to the Smoothwall SSL login page for the users to authenticate with AD... do you think I'm on the right lines?
Or... get the Firewall modules installed on the smoothwall box!!
This is all in a demo/trial mode setup at the mo before we decide which route we go down.
Thanks... I'll try the setup tomorrow (on the same as ADSL for now just for testing) would I be right in thinking that if I kept it away from the ADSL address range then I would need to install another NIC into the smoothwall server? So I'll have 3 in my setup -
1 for 172.x.x.x (School Network)
1 for 192.168.1.x (To get on the ADSL)
And a third for a different IP Range for the guests?
Thanks for your replies and tips! I feel I'm "almost" there with what I want to achieve!
Right, I've got things preety much working... in this test setup, but I want to restrict access to the network with some ACL's
At the mo, I have got setup on my Ruckus Guest Network, the option - Full (Wireless clients will be unable to communicate with each other or access any of the restricted subnets.)
I understand that I need to configure the ACLS under the Restricted Subnet Access in the Guest Access Menu - currently I have nothing set in here other then the default DENY rule for the controller on the 172 Address (Deny 172.16.244.40/22)
My VLAN for the Guest network is on the 192.168.1.0 Network - with no settings in place, I am able to get a DHCP address/DNS and access to the Internet, I am also able to PING all the machines connected to the 192 network which I don't want to be able to!!
I've tried putting a deny rule on 192.168.1.0/24 and this then stops me being able to authenticate with the Smoothwall server - But it still allows me to get an IP Address from the DHCP server (and that's without putting in a rule to allow DHCP)
The smoothwall is on 192.168.1.90, the DHCP server is 192.168.1.90
I've checked the Ruckus guide for the infomation on the ACLS on Guest Access and it's rather basic!
So my clients can get DNS and DHCP from my server in another VLAN. They can use the VLANs gateway for internet traffic (80&443). They can access our internal moodle server (80&443) and access the pool of proxies provided by our LEA.
It kind of helps, but I still can't seem to get my ACL's working correctly!!
How come, (For testing) when I put a Deny rule in and place it at the very top of the list "1 - Deny 192.168.1.0/24 Any Any Any" with no other rules, or allow rules or anything, I am still able to connect to the Wireless Network and get an IP Address from the DHCP server? - I thought that putting in the 192.168.1.0/24 would block out everything on that network range? Then I would need to put allow rules in for my DNS/DHCP/ and Smoothwall server to get access??