Sean Wallbridge
All new generation Sonicwall firewalls support “centrally controlled access” wireless management via the built-in wireless in the TZ100W, TZ200W, TZ210W, NSA220W, NSA250MW and/or via one or more SonicPoints. Both the built-in wireless and the SonicPoints allow for provisioning multiple “virtual” access points or VAP’s. A VAP is a specific wireless profile that can have settings that are totally different from other VAP’s applied to the wireless or the SonicPoint. The end result can be a single physical access point (built-in wireless or SonicPoint) that provides the services of multiple access points from the point of view of wireless clients. In practice this means that a single Sonicwall wireless network can provide secured, locked-down “corporate” access and less secure, “open” guest access all at once using VAP’s. What’s more, two or more SonicPoints can share all the same settings so that the controlled wireless network can be made seamless across a large physical location.
As an example, Company A will be installing an NSA240 along with a SonicPoint (more may be added down the road) to provide both secure corporate access to authenticated users as well as open, public access to guests in their office. The one SonicPoint will appear as multiple access points (more on this in a bit). If they add another SonicPoint to extend coverage that SonicPoint will take on all the same characteristics as the first one and the SonicPoints will perform seamless hand off of client connections, one to the other.
The trick to configuring the VAP’s is to understand how networking to the VAP’s needs to be configured.
In all cases, separate networks are required to be set up in various network zones in order to provide the basics for separation of secured versus unsecured traffic (corp vs. guest) as firewall rules can be enforced on traffic that has to cross network zones. The trick to the separation is to create VLAN’s on the Sonicwall pre-configured network port that supports the built-in wireless or on the port that has been assigned to the WLAN zone (or custom created zone) to which SonicPoint(s) will be connected. (Keep in mind that if you are VLAN’ing for SonicPoints that you will need to either run a single cable to a single SonicPoint from the Sonicwall port OR you will need a switch that can pass VLAN’d traffic.) VLAN’s are added to a Sonicwall port on the Network Interface page (Add Interface option). When VLAN’s are created a DHCP scope is also created for the specified network and the interface port is given a static IP (it becomes the gateway for the VLAN’d network).
Once VLAN’s are added the VAP profile(s) can be created. In essence, a VAP profile is created to set all of the parameters that you want to see for a given type of access just as you would configure settings on a physical access point. Things like the SSID and the encryption type are set within the VAP profile along with the desired network (think VLAN) and the radio settings. One or more VAP profiles can then be added to a VAP Group. A VAP Group can be thought of as the “super profile” that will then be applied to one or more SonicPoint radios. It is the VAP group that provisions a SonicPoint with the multiple virtual access points.
The built-in wireless on “W” models can be provisioned with one VAP Group (there is one radio). The single-radio SonicPoints (SonicPoint Ni and Ne) can also be provisioned with one VAP Group. The dual-radio SonicPoint NDR can be provisioned with two VAP Groups providing there is NO overlap between the VAP groups (e.g. no overlap of VLAN’s).
Sonicwall also provides for additional configuration for “guest” networks with an array of predefined “guest network” settings. When enabled things like enforced logon to the guest wireless network can be controlled through a simple login webpage; when a client connects to the wireless they cannot actually use the network without authenticating in some fashion to the login webpage. Sonicwall also provides a mechanism whereby access to the “corporate” wireless network can be more fully secured by enforcing the requirement that the client machine connect over the network using a Sonicwall VPN client.
When a SonicPoint is attached to a TZ or NSA unit, it will download and boot the latest firmware from the host. Once the firmware is downloaded the unit will reboot and it will then load whatever appropriate profile has been assigned to it specifically OR it will download the default profile that has been created for its model type (NDR, N for the Ni or Ne, G for older SonicPoint G’s). If the downloaded profile has a VAP (or VAP’s) configured then the SonicPoint will provide access over one or more VAP’s. This ability to use VAP’s and profiles gives a SonicPoint network a great deal of flexibility. NOTE: A SonicPoint cannot be used as a standalone access point in a network that does not have an appropriate TZ or NSA host unit; SonicPoint’s are totally “dumb” units that rely on a TZ or NSA host to provide their firmware, profile and settings.
The built-in wireless on the “W” models as well as the wireless in the SonicPoint Ni and Ne is 2.4GHz b/g/n compliant. The dual-radio SonicPoint NDR has one 2.4GHz b/g/n radio and one 5 GHz a/n radio. The 5GHz radio will work with clients that have 5GHz radios but will not talk to the 2.4GHz radios. The “W” models as well as the SonicPoint’s Ne and NDR have external antenna’s (three per radio) while the SonicPoint Ni only has a single concealed internal antenna. The external antennae tend to provide better coverage than does the internal antenna on the Ni while the 5GHz radio on the NDR provides the most powerful signal and the most bandwidth. All SonicPoints are PoE enabled; the Ni unit is PoE only while the Ne and NDR can also be powered by an external power supply.
Hi, I wondered if you could help me understand the “NO overlap between the VAP groups (e.g. no overlap of VLAN’s).” requirement.
So is this saying if I want both radios to have the same SSSID/Security profile, I have to have those two radios connecting to different sub-interfaces. This just seems strange to me that if I want to basically configure one wireless network and clients can connect to their fastest option?
Also, is it possible to have a VAP group basically bridging to the LAN interface?
Thanks,
Carl
Hi, Carl:
Sonicwall enforces separation of the WLAN from the LAN, as you have seen. This is so that you have complete control over what traffic can go where. To use the CORP vs GUEST analogy, you probably DON’T want guests being able to access the internal LAN as you have no control over their machines (from an A/V point of view) nor do you want them to be able to access corporate resources so that is why you would segregate them off (usually via a VLAN) yet you DO want corporate users to access the LAN. The WLAN zone implies that there can be “mixed” traffic coming in from a wireless access point because the AP can support a VAP. When a VAP is applied to a SonicPoint (any SonicPoint N device) then the VAP SSID and the VAP rules are enforced on that SonicPoint. Both radios in the SonicPoint Dual-N (I assume that is the SonicPoint you are referring to) will broadcast the SSID and both radios will support the VAP configuration. So, going back to CORP & GUEST, both radios will allow for connections to CORP & GUEST.
What makes the VAP config really work is the ability to pass more than one subnet over the SonicPoint and this is done by adding VLAN’s to the Sonicwall port that acts as the gateway port to the SonicPoints. By setting up a separate subnet for each desired connection (again, think CORP, GUEST, other, whatever) you give yourself the ability to enforce firewall rules on the WLAN zone and between the WLAN zone and other zones so that you can fully control and segregate the traffic. Typically this would mean that you would set a firewall rule that would specifically block any access to the corporate LAN from the subnet that is applied to the GUEST connection. And that is why you don’t want overlap between the VAP subnets. In fact, the Sonicwall will pretty much NOT allow you to have overlap.
As for having a VAP bridge directly to the LAN interface — in a word, “no”; everything is zoned off so you can’t do the direct bridge. You CAN have DHCP for a WLAN subnet managed by your Windows DHCP server rather than the Sonicwall but that is about as far as it goes. Again, all of this is by design so that you can, and should, enforce security rules. Frankly, this is one of the biggest differences between using Sonicwall and SonicPoint’s vs Linksys or DLink (as an example). You have to think I security terms rather than just simple connectivity terms.
Hope this helps!
Robert
We are using the internal radio of a NSA 220W with multiple VAPs for quite some time now. We wanted to extend the range of the wireless lan with an additional Sonicpoint and bought one Sonicpoint Ni and are having difficulties to configure the Sonicpoint properly.
It seems it is not possible to use both internal Radio and Sonicpoints together for the same Wireless Lans (same SSID’s for roaming)?
Hi! This is a problem I’ve hit as well and, as far as I can tell, there is no way to set the internal (on board) wireless as part of any VAP that is applied to a SonicPoint or group of SonicPoints. When you look at the internal wireless settings as compared to the the SonicPoint settings you’ll find that there are a couple of settings that you cannot “touch” as there is a “preconfigured” VAP already in place for the internal wireless. As best I can tell, the internal radio is essentially a “one off” device that is not meant to participate with SonicPoints in any sort of meshed configuration. Why this is so is beyond me as you would think the wireless radios are all essentially the same, internal or SonicPoint.
I think I’ll point the question at my Sonicwall rep and his SE as it is a good question. Stay tuned!
Robert
Helo Admin:
I have created a vlan tag V2000 which I would like to use as an SSID on Sonicwall TZ205. I have already mounted the Sonicpoint Ni devices, I can see them and even ping the firewall but cannot get an IP. I have enabled a DNS server to assign IPs. What should I do to have the Connections get IP? Thank you.
Hi! Not sure what you mean “a vlan tag” to use on an SSID on the TZ205. Normally you would assign the Sonicpoints to the WIRELESS zone, assign a port on the TZ205 to the WIRELESS zone and give it a GATEWAY IP address which would also auto-create a DHCP range for the network in question. If you are going to have multiple networks via a WAP then you would add a subnetwork to the wireless interface and assign a VLAN tag to it and, again, this would auto-create the needed DHCP scope. Then you would build up your WAP settings which would pull the SSID’s and the networks all together over the wireless? Keep in mind that this is all the builtin DHCP server on the TZ205. Did you do this? What are all the settings in your wireless config?
We have two NDR’s.
Should I be setting up each radio to it’s own VAP to enable dual radio support to clients with dual radios, or should they be on the same VAP? Both VAPs would have access to corporate network, and only one would access Guest. I could see this as a way to prevent guest traffic on one frequency, but is this also how I get “dual band” connections – or should they be on the same VAP to enable that?
The two radios require their own VAP config, on for 2.4GHz and one for the 5GHZ. Once those are set you can aggregate them into one group in the VAP settings then publish that group out to the NDR’s. The end result is the NDR’s will publish the SSID’s for the individual radios. Keep in mind that you can create multiple VAP’s to publish off each NDR. I would normally create 4 VAP profiles for an NDR — 2.4GHz CORP and Guest (CORP has LAN access, GUEST does not) and 5GHz CORP and GUEST. This requires having multiple VLAN’s between the host Sonicwall and the NDR’s so you can segregate traffic then apply specific firewall rules. It also means you can create new ZONES and put specific VLAN’s in specific ZONES in order to “super-segregate” the traffic.
I’ll ping you privately to follow up.
Robert