Cloud AP with VLANs - WSM Firebox Polies

I have a firebox that is managed with watchguard system manager. I have an AP wired directly to the firebox that is cloud managed. The AP is NATed not bridged. I’d like to keep this configuration if at all possible. The AP has several ssids. I’d like to setup each ssid on a different vlan and apply different policies to them on the firebox. Is it possible to use the gateway wireless controller on the firebox to apply policies to the vlans and keep the AP otherwise cloud managed? thanks


  • Options
    edited March 2021

    No. An AP is either GWC managed or cloud managed, but not both.

    What is your issue about setting up different firewall policies for the different VLANs on your cloud managed AP?

    What do you mean by "The AP is NATed" ?

  • Options
    I was hoping the firebox could differentiate the vlan tags and apply an alias to them or something like that while keeping the ssids and wips, etc in the cloud.

    I will have to look into cloud policies for the vlans. The wifi cloud is new to me.

    The ssids on the ap are set to NAT as opposed to bridged or tunneled.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If they're set to NAT, the AP is acting as a firewall for those networks. If you want the traffic to be passed to the firewall, you'll want them bridged.

    You can set up tagged and untagged VLANs on the firewall. It's set up to be flexible, so you could name them what the networks are for, or something else.

    Aside from the Gateway Wireless Controller part, this goes over an example network and how to set VLANs up:


    -James Carson
    WatchGuard Customer Support

  • Options
    Thank you for your help. Could you please confirm that if I setup bridged ssids and vlan tagging using the gateway wireless controller on the firebox then I would have to change the AP to firebox managed from wifi cloud managed? I would lose several important security features I have with The Total WiFi package I purchased?
  • Options

    To use Fireware GWC to manage an AP, you would need to change the AP to Firebox managed (Basic Wi-Fi) and you can not use the additional features from a Cloud managed AP.

    We suggest to stay with Cloud managed, and use Bridge mode for the AP, as James suggests above.
    If you have difficulties, you can open a support incident to get WG help is setting this up. To do so, click on the SUPPORT CENTER link above.

  • Options
    Thanks guys,
    WG Support was excellent and we got the vlans working.

    We left the AP cloud managed and left the wireless gateway controller disabled on the firebox. We set up matching vlans on the ap and firebox and applied policies to the vlans as needed. I found that in order to utilize a wired extension on one of the ssid vlans I had to keep it as NAT and assign a vlan id. The other ssids are now bridged with assigned vlan ids.

    It appears to me, and I may be wrong, that the firebox can inspect ssid’s in NAT mode. This may be useful for single devices or when a wired extension is needed for example. Of course the firebox will report all traffic coming from a nat ssid as coming from a single device.

    Thanks again for your help.
  • Options

    Please explain the "wired extension" and thus the reason for the NAT.

  • Options

    Does this mean that you don't have a VLAN capable switch setup there?

  • Options
    I have a firebox in one building and an ap327x directly connected to it in another building. There is no switch at the building with the ap and it may be moved to a pole at some point. On the ap, bridge mode for ssids don’t have an option to utilize the second ethernet port my ap has. I have not explored all the pros and cons of using the wired extension.
Sign In to comment.