How to configure WG M370 to allow guest internet from another wifi device?
I have a TP-Link wireless router that I would like to use as a wireless AP. I am planning on plugging the router into the WG. Are there any how to docs on this setup would be accomplished?
0
Best Answers
-
I apologize for not understanding what a packet filter was. I added one for TCP and the internet is now accessible via guest wireless. Thank you so much for your help on this.
0
Sign In to comment.
Answers
For a guest WiFi, set the interface type to Custom.
Then add any desired policies.
If you want to allow everything, add an Any policy From: the interface name or the wifi subnet To: Any-external
To allow most things, add a TCP-UDP packet filter and a Ping packet filter To:/From: the same.
Thanks for the reply. The settings were already setup exactly as you stated. The policy is set to Any-External. When I connect to the AP, it says no Internet Access.
Did you set up DHCP on the Custom firewall interface, and specify a public DNS server IP addr, such as one from your ISP or from Google?
Also, are you seeing any denies in Traffic Monitor from your Custom interface?
I went to Network-->Inteferfaces and selected Guest_Wireless clicked on edit. DHCP Server was selected, Clicked on DNS and it was empty. I added 8.8.8.8 and 8.8.4.4 DNS servers and clicked save. I tried the guest wireless AP, but still can't get to Internet.
Turn on Logging on your outgoing policy From: Custom, and look at Traffic Monitor to see packets allowed by that policy.
Make sure that the private subnet set for the Custom interface is not used anywhere else in your config.
Also verify that you have not changed/deleted the default Dynamic NAT entries, which should include 3 entries - 1 for each of the private subnet ranges.
The default Dynamic NAT entries cause outgoing packet from private subnets to get converted to the public IP addr of your firewall for Intenret access to work from those private subnets.
In traffic monitor I see the IP assigned to the client. The outgoing Policy is setup as a DNS-Proxy. Is there something that I should check in that policy type?
Use a DNS packet filter here
No other policy for Guests
Review this:
Packet Filter and Proxy Policies
Your Firebox uses two categories of policies to filter network traffic: packet filters and proxies. A packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is legitimate, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
A proxy examines both the header information and the content of each packet to make sure that connections are secure. This is also called content inspection. If the packet header information is legitimate and the content of the packet is not considered a threat, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_about_c.html
Thanks for the very detailed information!