How to configure WG M370 to allow guest internet from another wifi device?

I have a TP-Link wireless router that I would like to use as a wireless AP. I am planning on plugging the router into the WG. Are there any how to docs on this setup would be accomplished?

Best Answers

  • I apologize for not understanding what a packet filter was. I added one for TCP and the internet is now accessible via guest wireless. Thank you so much for your help on this.

Answers

  • For a guest WiFi, set the interface type to Custom.
    Then add any desired policies.
    If you want to allow everything, add an Any policy From: the interface name or the wifi subnet To: Any-external
    To allow most things, add a TCP-UDP packet filter and a Ping packet filter To:/From: the same.

  • Thanks for the reply. The settings were already setup exactly as you stated. The policy is set to Any-External. When I connect to the AP, it says no Internet Access.

  • edited February 2020

    Did you set up DHCP on the Custom firewall interface, and specify a public DNS server IP addr, such as one from your ISP or from Google?

    Also, are you seeing any denies in Traffic Monitor from your Custom interface?

  • I went to Network-->Inteferfaces and selected Guest_Wireless clicked on edit. DHCP Server was selected, Clicked on DNS and it was empty. I added 8.8.8.8 and 8.8.4.4 DNS servers and clicked save. I tried the guest wireless AP, but still can't get to Internet.

  • edited February 2020

    Turn on Logging on your outgoing policy From: Custom, and look at Traffic Monitor to see packets allowed by that policy.
    Make sure that the private subnet set for the Custom interface is not used anywhere else in your config.
    Also verify that you have not changed/deleted the default Dynamic NAT entries, which should include 3 entries - 1 for each of the private subnet ranges.
    The default Dynamic NAT entries cause outgoing packet from private subnets to get converted to the public IP addr of your firewall for Intenret access to work from those private subnets.

  • In traffic monitor I see the IP assigned to the client. The outgoing Policy is setup as a DNS-Proxy. Is there something that I should check in that policy type?

  • What other policies do you have for the guest clients?
    Use a DNS packet filter here
  • No other policy for Guests

  • Review this:

    Packet Filter and Proxy Policies

    Your Firebox uses two categories of policies to filter network traffic: packet filters and proxies. A packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is legitimate, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

    A proxy examines both the header information and the content of each packet to make sure that connections are secure. This is also called content inspection. If the packet header information is legitimate and the content of the packet is not considered a threat, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_about_c.html

  • Thanks for the very detailed information!

Sign In to comment.