ScreenOS: Configure Guest External WAP Segment

Product: ScreenOS
Version: Tested Version 6 and up

Network Topology:

Connecting WAP to SSG port ethernet0/6
This removes ethernet0/6 from the default trust bgroup0 for isolation

Description:

Provide a Guest Wireless Access Point (WAP) on a non-wireless enabled SSG firewall. Configured with a security zone guestwifi that has internet access only and no allowed connections to other segments.

Configuration:

Attachement is PDF file with web UI screen shots Web US Instructions

CLI Instructions

1.Create guestwifi security zone
set zone name guestwifi

2.Remove etherent0/6 from bgroup0
unset interface bgroup0 port ethernet0/6

3.Assign ethernet0/6 to wifi zone and give ip address 172.16.1.1/24
set interface ethernet0/6 zone guestwifi
set interface ethernet0/6 ip 172.16.1.1/24

4.Create policy from guestwifi to untrust with nat for internet access
set policy name GuestWifi from guestwifi to untrust any any any nat src permit

5.Create dhcp server on guestwifi zone (only if this is not provided on external WAP)
set interface ethernet0/6 dhcp server service
set interface ethernet0/6 dhcp server auto
set interface ethernet0/6 dhcp server option gateway 172.16.1.1
set interface ethernet0/6 dhcp server option netmask 255.255.255.0
set interface ethernet0/6 dhcp server option dns1 a.b.c.d
set interface ethernet0/6 dhcp server ip 172.16.1.10 to 172.16.1.99

6.WAP Configuration:
* Configure external WAP with 172.16.1.2/24 address and a default gateway of 172.16.1.1
or set the device to dhcp if supported
* Configure the desired wireless security settings on the WAP

Verification:

Connect on the new wireless segment and confirm internet access.

Originally Posted November 27, 2010
Last Revised on November 27, 2010