Author Topic: Subnetting/Firewalling Inbound WiFi Traffic  (Read 113 times)

MightyGorilla

  • Newbie
  • *
  • Posts: 13
    • View Profile
Subnetting/Firewalling Inbound WiFi Traffic
« on: December 20, 2017, 01:54:05 PM »
I have what I would think is a very common scenario, but it seems confusing to setup, so I'm wondering if I'm waaay off.

This is just to add wireless to an existing wired network:
  • using the built-in DHCP server to provide a separate range of addresses from the wired network
  • use the built-in firewall on the "incoming" wireless traffic to filter it
  • use the built-in routing to forward/NAT the wireless traffic to the wired network


It looks like I have to direct the wireless traffic to a particular VLAN, but will the traffic then hit the firewall and be routed (meaning the VLAN is really only present inside the router itself) or does that happen before it's dropped into the VLAN (meaning a different router will have to forward the traffic where it needs to go) ?

If this configuration is somehow stupid, or you have alternative suggestions- I'm all ears. :)

riddlebox

  • Newbie
  • *
  • Posts: 3
    • View Profile
    • Email
Re: Subnetting/Firewalling Inbound WiFi Traffic
« Reply #1 on: January 10, 2018, 07:33:45 AM »
I am trying to do this right now.

I have setup a network group with a vlan, and enabled the dhcp server, and am broadcasting a SSID with my grandstream AP. My devices cannot pull DHCP from the network.

If I setup a Unifi AP to broadcast a SSID pointed to that VLAN I get the proper DHCP  but cannot access anything on my main network group. I have started to play with the firewall rules, but am puzzled why I get no DHCP from the grandstream AP but I get it from the Unifi AP's??

riddlebox

  • Newbie
  • *
  • Posts: 3
    • View Profile
    • Email
Re: Subnetting/Firewalling Inbound WiFi Traffic
« Reply #2 on: January 12, 2018, 03:07:08 PM »
There is an option in the Firewall section called "Inter-group Traffic Forwarding".

You can add the groups you want to have access to in each of your groups.

MightyGorilla

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Subnetting/Firewalling Inbound WiFi Traffic
« Reply #3 on: January 12, 2018, 06:24:13 PM »
I've worked through most of the problems that I've had with the GWN series hardware, but that sometimes means I avoided certain functionality and provided those services from other equipment. Still - I do like the hardware, even if the software could use a little work in places.

I think I understand now that the wireless traffic is put straight on the wire (into a certain VLAN if that's what you've chosen to do) and then, at that point, it's just packets on the wire and is then subject to whatever routing & firewalling you wish to do if the traffic wants to leave its network. That can be the firewall rules in the GWN7000 itself (if it's the router that is the gateway out, or some other router if not.)  In my case, I didn't care for the firewall configuration, so we're only using the 7000 as a controller device to provision about 30 APs.

I also had to avoid the internal DHCP server, and use DHCP relay to a dedicated DHCP box. The internal one will work fine, but I required a bunch of address reservations that the internal DHCP doesn't offer currently.