Filter
Top Products
176
SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE
C
HAPTER
30:
Managing Wireless Guest Accounts
The example above describes a moderately complex network configuration where the TZ 50
Wireless/TZ 150 Wireless/TZ 170 Wireless offers both WiFiSec and WGS access via a default route
on LAN. As the blue (WiFiSec) and green (WGS) traffic lines indicate, the TZ 50 Wireless/TZ 150
Wireless/TZ 170 Wireless allows WGS access only to the Internet, while allowing WiFiSec access to
the Internet, the LAN, and to a remote network connected via a LAN router. The SonicWALL PRO
2040 in above example requires static routes to the 10.1.1.x (adjacent) network via 192.168.168.252,
and to the 172.16.31.x (for WGS) network via 192.168.168.168.
Prior to SonicOS 1.5.0.0, Wireless Guest Services were only available in default route on WAN
configurations. This scheme provided an automatic differentiation of destinations for WGS traffic. In
other words, WGS traffic bound for the WAN was permitted, but WGS traffic attempting to reach the
LAN (local traffic), to cross the LAN (to reach an adjacent network connected via a router) or to cross
a VPN tunnel was dropped.
When the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless is configured to provide both Secure
Access Point and WGS services via a default route on LAN, all traffic exits the LAN interface,
eliminating any means of automatically classifying “WGS permissible” traffic. To address this
ambiguity, any traffic sourced from a WGS client attempting to reach the default gateway (in our
above example, 192.168.168.254) is allowed, but any traffic attempting to traverse a VPN, or reach a
LAN resource (for example, 192.168.168.100) is dropped. Finally, to safeguard adjacent networks
attached via a router, a WGS IP Address Deny List has been added to the WGS > Settings page.