Cloud AP with VLANs - WSM Firebox Polies
I have a firebox that is managed with watchguard system manager. I have an AP wired directly to the firebox that is cloud managed. The AP is NATed not bridged. I’d like to keep this configuration if at all possible. The AP has several ssids. I’d like to setup each ssid on a different vlan and apply different policies to them on the firebox. Is it possible to use the gateway wireless controller on the firebox to apply policies to the vlans and keep the AP otherwise cloud managed? thanks
0
Sign In to comment.
Comments
No. An AP is either GWC managed or cloud managed, but not both.
What is your issue about setting up different firewall policies for the different VLANs on your cloud managed AP?
What do you mean by "The AP is NATed" ?
I will have to look into cloud policies for the vlans. The wifi cloud is new to me.
The ssids on the ap are set to NAT as opposed to bridged or tunneled.
thanks
If they're set to NAT, the AP is acting as a firewall for those networks. If you want the traffic to be passed to the firewall, you'll want them bridged.
You can set up tagged and untagged VLANs on the firewall. It's set up to be flexible, so you could name them what the networks are for, or something else.
Aside from the Gateway Wireless Controller part, this goes over an example network and how to set VLANs up:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/wireless/ap_deployment_examples_vlans.html
-James Carson
WatchGuard Customer Support
To use Fireware GWC to manage an AP, you would need to change the AP to Firebox managed (Basic Wi-Fi) and you can not use the additional features from a Cloud managed AP.
We suggest to stay with Cloud managed, and use Bridge mode for the AP, as James suggests above.
If you have difficulties, you can open a support incident to get WG help is setting this up. To do so, click on the SUPPORT CENTER link above.
WG Support was excellent and we got the vlans working.
We left the AP cloud managed and left the wireless gateway controller disabled on the firebox. We set up matching vlans on the ap and firebox and applied policies to the vlans as needed. I found that in order to utilize a wired extension on one of the ssid vlans I had to keep it as NAT and assign a vlan id. The other ssids are now bridged with assigned vlan ids.
It appears to me, and I may be wrong, that the firebox can inspect ssid’s in NAT mode. This may be useful for single devices or when a wired extension is needed for example. Of course the firebox will report all traffic coming from a nat ssid as coming from a single device.
Thanks again for your help.
Please explain the "wired extension" and thus the reason for the NAT.
Does this mean that you don't have a VLAN capable switch setup there?