Extending T15W WiFi

I need some suggestions. I recently installed a T15W and setup a secure internal WiFi Bridged with Trusted Interface (limited via MAC address) with the addition of an untrusted Guest_Interface WiFi.

Unfortunately the T15W does not have the range I was hoping for in the office.. Purchased the Total Security Package as well and like the idea of extra monitoring and detection for WiFi as well sa the other features. So, now what to do. Option 1 was where I was headed which is to use the Optional Interface (as a Custom Untrusted) and setup a second Guest_Wifi2 via re-routed Network line at other end of the office with "some other WiFi Access Point". Since each interface (onboard Guest Wifi and other AP) has it's own DHCP, I think I would have to use different SSID. Unless I bridge them? By Bridging, would that allow the onboard WiFi to control security on that second device as well?

Should I just use a Range Extender to repeat the built in WiFi Guest network and call it a day?

The Ability to add High Gain External antennas seems like it would be ideal, but I am just dreaming out loud...

Comments

  • A guest WIFI should have a different SSID in any case.

    I have not come across any range extenders which can extend multiple SSIDs, so if your goal is to have both a trusted & guest SSID at some distance from your firewall, look to using an AP which supports VLANs.

    I recall that there was a post on the old (now gone) boards about adding a high gain antenna. Perhaps someone from WG will reply here - or you can open a support incident to find if this is possible and if so, what brand & characteristics etc.

    The only AP models that you can manage using Fireware (via Gateway Wireless Controller), are WG models.
    And current WG APs can be managed via the cloud. There are different SKUs for Fireware managed and for cloud managed.
    Fireware policies can control the traffic from any brand of APs.

  • I use a different brand of access points so that I can have a unified wireless management experience across all of my clients/family/friends, whether or not they have a WatchGuard firewall, at far less cost than WatchGuard APs. I am sure they have their place, but not for my clients or friends.

    I set them up with a LAN SSID and a guest SSID that has client isolation on it as well as being on its own VLAN. I then apply the wireless LAN and guest VLAN to my WatchGuard polices as desired. For the guest DNS, I use a filtering DNS such as CleanBrowsing.org server so no pervy stuff happens on my guest networks.

    Gregg Hill

  • Thanks for your response. Always great to hear how others are tackling these issues.

    I can't go back and justify to the client to spend the $$$ on another WG AP, so the solution to extend their guest_WiFi must be inexpensive. Luckily the Secure WiFi segment is not really in use (currently). Performance is not the greatest concern on Guest, which is why I was thinking of an extender in the middle of the office.

    It is a Dental Office with 9 rooms and staff, so in reality you are not talking about a lot of users at once. If they are OK, with a separate Guest SSID for the back rooms, then I may just add their cheap AP on that Custom Interface Port I configured on the T15 or figure out if I can bridge that Custom Interface with the Guest WiFi so they are on the same segment and same SSID.

  • You should be able to set up a bridge group including a firewall interface and a T15w radio.

  • Yes, that is an option and use the "Other WiFi Router they already had" in AP mode on that Optional Port that I reconfigured as a custom Interface.

    In fact, I already did a Bridge with the "Secure" WiFi Adapter (MAC Controlled) in the T15 with the Trusted Interface. So, I could do that again for the Guest and Keep the SSIDs the same for Guest. I have heard stories about sticky sessions to poor signal, so not sure if I should be concerned there.

    The T15W has 3 configurable WiFi Interfaces onboard, just for reference.

  • This thread speaks to my exact situation. Limited range on T15W. I want to add a mesh based Wireless network, but need to have a single integrated network (one range of IP addresses). Does anyone know if I can add a Ubiquiti WiFi network, plugged into one of the ports on the T15W and use the Network bridge feature in the Watchguard to create what is effectively a single network? Bruce Briggs suggests it is possible above but I just want to double check.

    Thanks in advance for any help of guidance.
    EnEm

  • @EnEm said:
    This thread speaks to my exact situation. Limited range on T15W. I want to add a mesh based Wireless network, but need to have a single integrated network (one range of IP addresses). Does anyone know if I can add a Ubiquiti WiFi network, plugged into one of the ports on the T15W and use the Network bridge feature in the Watchguard to create what is effectively a single network? Bruce Briggs suggests it is possible above but I just want to double check.

    Thanks in advance for any help of guidance.
    EnEm

    See my post from May 7th. I use that brand for all of my wireless networks, although I use VLANs instead of bridging my interfaces. I can have a LAN-connected AP that has an SSID on the LAN, plus VLANs for guest SSID and a restricted-employee SSID (I use this VLAN for employee laptop or phone/tablet that needs to print to LAN printer while it keeps them off of the LAN.) Guests get Internet-only access, filtered as I desire.

    Gregg Hill

  • In the past, I have created a bridge group to include the internal wireless (XTM 25 w) and a firewall interface to be part of the same subnet.
    More recently, I have used VLANs, and the appropriate polices to allow trusted subnets to access each other.

    The VLANs allows me to separate trusted, guest and equipment (TVs, etc.) traffic from one another.
    My access point does support VLANs.
    I expect that your proposed APs would also allow this as they are the same brand that Gregg uses.

  • Thank you both very much. I need to investigate and understand VLANS :)

  • I thought I would add the specific reason for this requirement in case anyone has additional advice. There is a Sonos network with a Sonos device in each room that obtains its IP no from the firewall DHCP server.

    The specific reason for wanting all devices in one IP subnet (or the ability to choose which subnet a device is on) is that the the Sonos controller software needs to be in the same IP subnet to access and control the Sonos music. This works fine devices in the same wireless network, but unless the networks are bridged, desktop computers and other wired devices (plugged in laptops) can't see or play music.

    Not used AirPrint or similar yet, but I am anticipating the same problem with a wired AirPrint enabled printer if iPhone and iPad users want to print.

  • I ended up taking the simple route and added an inexpensive Netgear N300 Model EX2700 WiFi Extender for the Guest WiFi Interface. It was $29.99 so no love lost if it dies in 6mo ... So, far I am impressed and have not gotten any complaints. I placed it in an elect outlet about 1/3 of the way toward the back of the office from where the T15W is. Coverage is awesome. I specifically chose this one as I did not need/want 5g because of so many walls etc. Also, I had the option of using the same SSID, but chose to call it Guest_Back. Still on the same Guest IP network, but I did not want any problems with Sticky WiFi and user complaints. Throughput is not an issue as this is a small Dental Office.

    The Same or similar method could have been done for the Secured Office WiFi interface that I DO have Bridged to the main Office IP, so same Subnet as Trusted Interface. This WiFi is secured via MAC address Lists which is recommended. I don't want any willy nilly access to the Office Network WiFi. i don't need to extend this one currently.

    You could use a mesh in place of the Extender I used.

    This all said, I did also configure the Opt Interface port to a spare RJ45 in the back of the office, which I could have bridged to one of the other interfaces, but again, my need is a bit different that yours and the WiFi Interfaces that I needed to extend is the Guest which I do NOT want on the Trusted interface and have also blocked. Also, I really wanted to leverage the T15W WiFi interface(s) because the Total Security Package was purchased and it seemed Frivolous to negate the WiFi and related security Software invested in the T15W.

    In regards to what Bruce mentioned, I do use vLANs at work and ironically and ready to revamp my home wired and WiFi network and plan on using said brand devices for WiFi.

  • "This WiFi is secured via MAC address Lists which is recommended."

    I have not seen that recommended in the last decade due to the ease of MAC address spoofing.

    Make sure none of your APs have WPS capability. From what I have read, it can be hacked even if it is off.

    Use a WPA2-PSK passphrase at least 25 characters long.

    Gregg Hill

  • Yes, I should have clarified that MAC is a last line of defense and should not be primary security by any means. WPA2-PSK, AES and proper passphrase are primary lines of defense. MAC is secondary and recommended in Watchguard documentation when allowing any WiFi access on your trusted interface. For instance I don't want the Doctors or staff doing anything on the trusted interface with their phones etc. Force them to use the Guest Wifi. For certain devices, XRay scanner that need WiFi to connect to their server (move from room to room) I use MAC in addition to proper WiFi security.

  • Thanks again for your input.

    ShawnD... Do you know if the Netgear N300 Model EX2700 WiFi Extender will allow identical name for the SSID or does it add _Ext?

    That leads to an (off-topic?) question: how do wireless clients switch? And is there a risk of swithching back and forth between the main network and the extended network in some areas where both have reasonable coverage. Or do users have to manually choose their network - which could mean constantly swithing by hand as they change locations.

  • Yes, it can, but recommends not. As most APs, you can configure them as you wish with the same SSID (as long as they are on different channels and same IP net), but I chose not to. That is what I was referring to when i mentioned "stickyness" where clients can hang onto a weaker AP signal near the boundaries Vs switching. Supposedly, most client devices these days are a lot better and there are ways to minimize by lowering the signal power of the APs, etc. Ideally the same SSID is more seamless, but I didn't want to deal with even the potential since this was just Guest WiFi. I am not the foremost expert on this, but have read a lot of stories and I typically use separate SSID. Users can subscribe to both. If your environment is more complex and will have multiple APs, then perhaps a Mesh is the way to go or at least the same SSIDs with regular APs and Extenders. You may just have to do some testing and tuning.

  • This is all very helpful, thanks. I have purchased a low cost Wi-Fi range extender as suggested by ShawnD (I got a tp-link TL-WA850RE) and it seems to work well after a couple of days testing. Set it to the same SSID as the firewall wireless.

Sign In to comment.