configure t20 with access point with 2 x SSID, one for guest

I have a T20 and I have a tp-link EAP620 access point. The EAP620 access point is currently used with employees on the business network. We currently do not use VLAN. I would like to setup a guest wireless SSID on the access point that has throttled internet access only. The EAP620 supports adding a second SSID with throttles and guest controls and VLAN.

How would I configure the T20 so that devices that connect to the business SSID can access everything and devices that connect to the guest SSID can only access internet.

Access point is connected to switch, switch is connected to trusted interface on T20.

I have no prior experience using VLAN, but understand the concept.


  • Options
    edited March 7

    You do need to set up VLANs for this to work.
    Does your switch support VLANs?
    If not, then you can't do this.
    If it does, then you need to set up VLANs on it and on the AP.

    You can set up the firewall in 1 of 2 ways:
    1) you set up a VLAN interface on the firewall and have both VLANs from the switch connect to this firewall interface. You need to define both VLAN types to the firewall.
    This needs to be a tagged/trunk VLAN setting on the switch and tagged on the firewall.
    2) you have 2 switch to firewall connections, the existing one, and a new one for the guest connection. Both of the switch connection are not tagged.
    No VLAN settings on the firewall.

    Tagged means that it has VLAN info in the packet.

  • Options

    Normally I'd recommend defining the VLANs on the firewall anyway, and you'd need to do this in order to achieve the stated goal.

    That said, without a managed VLAN capable switch, if the setup is a single access point and it has a PoE injector (since the T20 doesn't have a PoE port), something like configuring a port to be on both VLANs on the firewall (you'd have to redo the "internal" interface to be a VLAN, and make the port to the switch an untagged VLAN port at the very least) may help.
    (Essentially making the ports on the firewall a VLAN capable switch of sorts).

    You then setup the port with the AP to have two VLANs - untagged for the existing business/corporate network, and tagged for the guest network.
    Any guest network specific controls get their own set of policies on the firewall (eg. I have one that applies a different WebBlocker policy and throttles the speed for Internet bound traffic from the guest network).

Sign In to comment.