Hello all,
We have a large network with many different buildings throughout the city and we would like to separate our GUEST WIFI from the STAFF WIFI, both going out different ISP’s. The MX firewall’s we have would only be used for the GUEST WIFI. I'll call ISP #1 (STAFF WIFI) and ISP #2 (GUEST WIFI). We would like the GUEST WIFI Clients to use the option on the SSID to Tunnel traffic to the MX concentrator, while STAFF WIFI just connects to the local LAN.
Since the MX Firewalls will only be at certain locations, how would we tunnel the GUEST WIFI traffic through our internal network to the MX? I created L3 VLANS on the MX, but I have questions on how to create the connection from the MX to the internal network.
Currently the AP's themselves are connected to a switchport that only allows 1 VLAN and that is for STAFF WIFI, those AP's have a public IP of ISP #1. The GUEST WIFI SSID users are now able to go out of ISP #2 but they get there by going out of the ISP #1 and back into ISP #2, to the MX and out again ISP #2. So it forms a tunnel from the AP to the MX through the internet. I don't want it to do that, I want the AP to be able to tunnel (Route) those GUEST WIFI clients to the MX internal and the MX would route them out the ISP #2.
Any suggestions on how to have GUEST WIFI traffic go internally to the MX using the option on that SSID to "Layer 3 roaming with a concentrator "?
Thnak you!
Hi Nolan,
We don't have an MX at each location where there will be GUEST WIFI available. The GUEST ISP circuits are at a few different locations and I'm trying to figure out how to get the GUEST WIFI clients in the locations where there is no ISP to go through the LAN (route). I don't want to extend L2 VLANS all across the network.
Thanks for responding.
I'll tag @PhilipDAth also since he was originally on that other thread and might be able to provide some more insight as he was mentioning some sort of new feature with recent firmware versions (back then) that I'm not familiar with.
Thank you, I'll take a look at those links.
You will want to use one-armed mode for the VPN concetrator.
Alternatively, give the APs static IP addresses. Use the SSID NAT mode to NAT the guest traffic to the AP lan IP. Create a group on your firewall of all AP's, and a rule allowing them direct Internet access out. Use the option on the firewalls to block access to the local LAN.
Hi PhillipDAth,
Thanks for your reply.
Too bad there is no way to direct the guest clients internally to the internal interface of the MX. The AP's IP's are static, if I choose the NAT option on the SSID and on the firewall to block access to the local lan, how would the AP send staff guest traffic out the other ISP?
The default gateway of the AP is on the staff network which will route staff users to the staff ISP. Since the MX does have LAN interfaces and I can create L3 IP's on it, I'm assuming there must be a way for the AP to send the guest traffic to the MX internally, which then the MX would send directly out the guest ISP, right?