All new generation Sonicwall firewalls support “centrally controlled access” wireless management via the built-in wireless in the TZ100W, TZ200W, TZ210W, NSA220W, NSA250MW and/or via one or more SonicPoints. Both the built-in wireless and the SonicPoints allow for provisioning multiple “virtual” access points or VAP’s. A VAP is a specific wireless profile that can have settings that are totally different from other VAP’s applied to the wireless or the SonicPoint. The end result can be a single physical access point (built-in wireless or SonicPoint) that provides the services of multiple access points from the point of view of wireless clients. In practice this means that a single Sonicwall wireless network can provide secured, locked-down “corporate” access and less secure, “open” guest access all at once using VAP’s. What’s more, two or more SonicPoints can share all the same settings so that the controlled wireless network can be made seamless across a large physical location.
As an example, Company A will be installing an NSA240 along with a SonicPoint (more may be added down the road) to provide both secure corporate access to authenticated users as well as open, public access to guests in their office. The one SonicPoint will appear as multiple access points (more on this in a bit). If they add another SonicPoint to extend coverage that SonicPoint will take on all the same characteristics as the first one and the SonicPoints will perform seamless hand off of client connections, one to the other.
The trick to configuring the VAP’s is to understand how networking to the VAP’s needs to be configured.
In all cases, separate networks are required to be set up in various network zones in order to provide the basics for separation of secured versus unsecured traffic (corp vs. guest) as firewall rules can be enforced on traffic that has to cross network zones. The trick to the separation is to create VLAN’s on the Sonicwall pre-configured network port that supports the built-in wireless or on the port that has been assigned to the WLAN zone (or custom created zone) to which SonicPoint(s) will be connected. (Keep in mind that if you are VLAN’ing for SonicPoints that you will need to either run a single cable to a single SonicPoint from the Sonicwall port OR you will need a switch that can pass VLAN’d traffic.) VLAN’s are added to a Sonicwall port on the Network Interface page (Add Interface option). When VLAN’s are created a DHCP scope is also created for the specified network and the interface port is given a static IP (it becomes the gateway for the VLAN’d network).
Once VLAN’s are added the VAP profile(s) can be created. In essence, a VAP profile is created to set all of the parameters that you want to see for a given type of access just as you would configure settings on a physical access point. Things like the SSID and the encryption type are set within the VAP profile along with the desired network (think VLAN) and the radio settings. One or more VAP profiles can then be added to a VAP Group. A VAP Group can be thought of as the “super profile” that will then be applied to one or more SonicPoint radios. It is the VAP group that provisions a SonicPoint with the multiple virtual access points.
The built-in wireless on “W” models can be provisioned with one VAP Group (there is one radio). The single-radio SonicPoints (SonicPoint Ni and Ne) can also be provisioned with one VAP Group. The dual-radio SonicPoint NDR can be provisioned with two VAP Groups providing there is NO overlap between the VAP groups (e.g. no overlap of VLAN’s).
Sonicwall also provides for additional configuration for “guest” networks with an array of predefined “guest network” settings. When enabled things like enforced logon to the guest wireless network can be controlled through a simple login webpage; when a client connects to the wireless they cannot actually use the network without authenticating in some fashion to the login webpage. Sonicwall also provides a mechanism whereby access to the “corporate” wireless network can be more fully secured by enforcing the requirement that the client machine connect over the network using a Sonicwall VPN client.
When a SonicPoint is attached to a TZ or NSA unit, it will download and boot the latest firmware from the host. Once the firmware is downloaded the unit will reboot and it will then load whatever appropriate profile has been assigned to it specifically OR it will download the default profile that has been created for its model type (NDR, N for the Ni or Ne, G for older SonicPoint G’s). If the downloaded profile has a VAP (or VAP’s) configured then the SonicPoint will provide access over one or more VAP’s. This ability to use VAP’s and profiles gives a SonicPoint network a great deal of flexibility. NOTE: A SonicPoint cannot be used as a standalone access point in a network that does not have an appropriate TZ or NSA host unit; SonicPoint’s are totally “dumb” units that rely on a TZ or NSA host to provide their firmware, profile and settings.
The built-in wireless on the “W” models as well as the wireless in the SonicPoint Ni and Ne is 2.4GHz b/g/n compliant. The dual-radio SonicPoint NDR has one 2.4GHz b/g/n radio and one 5 GHz a/n radio. The 5GHz radio will work with clients that have 5GHz radios but will not talk to the 2.4GHz radios. The “W” models as well as the SonicPoint’s Ne and NDR have external antenna’s (three per radio) while the SonicPoint Ni only has a single concealed internal antenna. The external antennae tend to provide better coverage than does the internal antenna on the Ni while the 5GHz radio on the NDR provides the most powerful signal and the most bandwidth. All SonicPoints are PoE enabled; the Ni unit is PoE only while the Ne and NDR can also be powered by an external power supply.