+ Post New Thread
Results 1 to 14 of 14
Wireless Networks Thread, Guest VLANS + Guest Wifi - Different IP Range, Out to Filtered Internet in Technical; Hi, In my head I know what I want.... putting it all together I'm not 100% sure on! I will ...
  1. #1

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Guest VLANS + Guest Wifi - Different IP Range, Out to Filtered Internet

    Hi,

    In my head I know what I want.... putting it all together I'm not 100% sure on! I will try and expalin as best as I can, and hopefully somebody will guide me in the correct directions.

    I would like to setup:-

    • Guest WiFi Access for Students to connect their own devices
    • Guest Users to be on a totally different IP Range to what the school network runs on, for added security
    • Students to be able to authenticate to the WiFi using there Active Directory user names and passwords
    • Gain access to the Internet via the Proxy Server, which would sit on the schools IP Range
    • Have the one DHCP server, but with two scopes, 1 for 172.16.x.x (School Network) and 1 for 192.168.x.x (Guest Wifi)


    It sounds so simple, is all the above possible??.

    We have a Smoothwall Proxy Server running G3, Ruckus Wireless, D-Link Smart Switches (DGS-1216T, DGS-1224T, DGS-1248T) - Windows Server 2003 / Active Directory

    I have setup a test switch, and have created on it a VLAN for Guests, I have also created a Guest WiFi SSID, and put a tag on it for the Guest VLAN, I have setup a temp DHCP server to fire out IP Address on a different range, and that seems to be working... School WiFi I gte a 172.16.x.x address, Guest WiFi I get a 192.168.x.x address

    I obvioulsy need to do something to the uplinks on each switch port for this to work across all switches (I only have it running on 1 test switch at the mo)... I will also need to do something I'm guessing on the port of the switch where the Ruckus ZoneDirector sits?

    Would I need to install another Network Card in the DHCP server with an IP Address for the 192.168.x.x, Would I also need another network card in the Smoothwall Server for the 192.168.x.x

    How would the Wireless Guests/Students authenticate to the Active Directory if thats on the 172.16 and they will be on the 192.168.x.x

    Any hints/tips/guides would be gratefully recieved... I have looked across many forum postin and websites, and whilst some things have been useful alot has been no help in the particular setup

    Many Thanks

    Matt

  2. #2
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    791
    Thank Post
    83
    Thanked 171 Times in 140 Posts
    Rep Power
    64
    Looks to me like you have most of the equipment you need to achieve what you want.

    You're going to need to look at vlans, iphelpers, inter vlan routing and trunks (different vendors refer to some of these differently).

    Your biggest issue is looking at which switch could act as your router, or what to get to route traffic. I don't know much about the dlink switcges to be honest.

  3. Thanks to IrritableTech from:

    mattpant (31st January 2012)

  4. #3

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    We have Smoothwall G3 + Ruckus here and guest wifi is working great.

    Basically the way we have done it is we have a guest wifi WLAN on our Ruckus wireless which tags traffic on that WLAN to the isolated guest VLAN we have set up on the switches. We then have the guest VLAN set up as another interface on our Smoothwall box. The Smoothwall box is set to dish out DHCP on the guest VLAN and has SSL Login page proxy authentication set.

    And that's pretty much all there is to it so when students connect their own devices to the guest VLAN they get an IP from the Smoothwall box and then when they open their internet browser and try to access a website they get the SSL Login page, they then type their AD credentials and then they get filtered as they normally would.

    The nice thing with Smoothwall handling DHCP & DNS is the guest traffic doesn't touch your main windows network.

    Hope this makes sense

  5. #4

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    Ahh that makes so much sense, but I don't think our version of Smoothwall allows for the DHCP/DNS but I will check...

    With this kind of setup, can you "see" from the ruckus controller which guests are on the wifi? Or would you need to find this out from your smoothwall box?

    Thanks

  6. #5

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    We currently have the guest network as an open network so no we don't "see" the guests as such. We can see their IP & Mac address on the ZoneDirector web interface but to see who's logged into the proxy we have to check the SW box. But obviously we can link the device and user by looking at logs if necessary.

    You could set up radius/AD authentication on the ZoneDirector for the Guest network so the students would need to enter their AD Credentials before they can join the guest WLAN and this would let you see who's logged on via Ruckus. But then they would have to enter their AD login for smoothwall as well unless you did a general SW filtering policy for all users on the guest WLAN.

    You can find DHCP in Smoothwall under the Services menu and then just enable it for the guest VLAN interface.
    Last edited by Ashm; 1st February 2012 at 07:50 AM.

  7. #6

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    Thanks Ashm,

    Our Smoothwall doesn't have the DHCP option under services, I think that is only available on the Smoothguardian + Firewall setup?? We have just got the Smoothwall Network Guardian, Guardian Web Security.

    I'll see how much a bolt for it would be, otherwise I'll just setup an old box to act as a DHCP Server for that VLAN.

    Cheers

    Matt

  8. #7

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    I've had a play around today... got preety close to it working but not all the way... I used the DHCP coming off the ADSL router, on the VLAN for the Guests, and had the Network cable from the Smoothwall Box on the same 192. interface going into that VLAN, I could connect to the guest network, it would redirect me to the Ruckus pages tell me it's redirecting, then let me straight out onto the internet with no Filter... it couldn't go via the smoothwall.

    I've setup Transparent Proxy filter...

    I think I need to maybe switch off DHCP on the ADSL router, pop a DHCP/DNS server in between and point the default gateway to the Smoothwall Box on the 192.x interface, so that it will then redirect me to the Smoothwall SSL login page for the users to authenticate with AD... do you think I'm on the right lines?

    Or... get the Firewall modules installed on the smoothwall box!!

    This is all in a demo/trial mode setup at the mo before we decide which route we go down.

  9. #8

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    Yep the Smoothwall box needs to be the default gateway if using transparent mode.

    You could set up a linux box or vm to do the DHCP & DNS on the guest VLAN and as you say have the default gateway to set to the SW box.

    I wouldn't put the ADSL router on the same guest VLAN, you'd most likely want it so the only thing a guest device can see is the SW box which would be their only route out to the internet.

  10. #9

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    Thanks... I'll try the setup tomorrow (on the same as ADSL for now just for testing) would I be right in thinking that if I kept it away from the ADSL address range then I would need to install another NIC into the smoothwall server? So I'll have 3 in my setup -
    1 for 172.x.x.x (School Network)
    1 for 192.168.1.x (To get on the ADSL)
    And a third for a different IP Range for the guests?

    Thanks for your replies and tips! I feel I'm "almost" there with what I want to achieve!

  11. #10

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    How does the school network get out to the internet? What do you normally use the ADSL for?

    Yes you could do it how you've specified with 3 network interfaces.

  12. #11

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    Right, I've got things preety much working... in this test setup, but I want to restrict access to the network with some ACL's

    At the mo, I have got setup on my Ruckus Guest Network, the option - Full (Wireless clients will be unable to communicate with each other or access any of the restricted subnets.)
    I understand that I need to configure the ACLS under the Restricted Subnet Access in the Guest Access Menu - currently I have nothing set in here other then the default DENY rule for the controller on the 172 Address (Deny 172.16.244.40/22)

    My VLAN for the Guest network is on the 192.168.1.0 Network - with no settings in place, I am able to get a DHCP address/DNS and access to the Internet, I am also able to PING all the machines connected to the 192 network which I don't want to be able to!!

    I've tried putting a deny rule on 192.168.1.0/24 and this then stops me being able to authenticate with the Smoothwall server - But it still allows me to get an IP Address from the DHCP server (and that's without putting in a rule to allow DHCP)

    The smoothwall is on 192.168.1.90, the DHCP server is 192.168.1.90

    I've checked the Ruckus guide for the infomation on the ACLS on Guest Access and it's rather basic!

    Thanks

    Matt

  13. #12
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    791
    Thank Post
    83
    Thanked 171 Times in 140 Posts
    Rep Power
    64
    Mine are basically set at...

    DNS Allow 10.15.110.1 /32 DNS Any 53
    DHCP Allow 10.15.110.1/32 DHCP Any 67
    Gateway Allow 10.15.105.254/32 HTTP TCP (6) 80
    Gateway Allow 10.15.105.254/32 HTTPS TCP (6) 443
    Moodle Allow 10.15.110.7/32 HTTP TCP (6) 80
    Moodle Allow 10.15.110.7/32 HTTPS TCP (6) 443
    Proxy Allow A.B.C.D/24 HTTP TCP 80
    Proxy Allow A.B.C.D/24 HTTP TCP 443

    Default rule is set at deny.

    So my clients can get DNS and DHCP from my server in another VLAN. They can use the VLANs gateway for internet traffic (80&443). They can access our internal moodle server (80&443) and access the pool of proxies provided by our LEA.

    Hope that helps

  14. #13

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    284
    Thank Post
    16
    Thanked 11 Times in 8 Posts
    Rep Power
    21
    It kind of helps, but I still can't seem to get my ACL's working correctly!!

    How come, (For testing) when I put a Deny rule in and place it at the very top of the list "1 - Deny 192.168.1.0/24 Any Any Any" with no other rules, or allow rules or anything, I am still able to connect to the Wireless Network and get an IP Address from the DHCP server? - I thought that putting in the 192.168.1.0/24 would block out everything on that network range? Then I would need to put allow rules in for my DNS/DHCP/ and Smoothwall server to get access??

    Cheers

    Matt

  15. #14
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    791
    Thank Post
    83
    Thanked 171 Times in 140 Posts
    Rep Power
    64
    I think you're confusing your layer 2 and layer 3. A DHCP request must be completed by layer 2 because the client doesn't yet have an IP. Therefore your layer 3 access list does not take effect.

    You probably need to look at your layer 2 ACL.

    Dynamic Host Configuration Protocol - Wikipedia, the free encyclopedia

SHARE:
+ Post New Thread

Similar Threads

  1. Connecting to device on different IP range
    By ckhorder1 in forum Wired Networks
    Replies: 2
    Last Post: 8th November 2011, 07:35 AM
  2. Connect to a share on a different IP Range ...
    By soveryapt in forum Wireless Networks
    Replies: 9
    Last Post: 23rd September 2009, 05:41 PM
  3. Replies: 2
    Last Post: 12th October 2006, 12:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •