Description of the public and private Wi-Fi network separation scheme using VLANs on the ZyWALL USG series Security Gateway

Let's give an example. Suppose you have a ZyWALL USG hardware gateway that can work with VLAN (tagged traffic), and a professional NWA1121-NI wireless access point that can also work with VLAN.
Task: Configure two isolated wireless networks (with different SSIDs): one without encryption (open) and with Internet access only for office guests, and the other using traffic encryption (closed) with access to local network resources (with the ability to control all devices) and with internet access.

Consider the following scheme:

Local resources (hosts) and a Wi-Fi access point (NWA1121-NI) are connected to different ports (interfaces) of the ZyWALL USG hardware gateway. The interface of the gateway to which the access point is connected must work with tagged traffic and receive two VLANs from the access point: guest wireless network (SSID for guests) and from the main wireless network (SSID for employees). The interface to which local resources and stationary employee hosts are connected is the local zone (must work with untagged traffic).
Access restriction for guests will be implemented using the Firewall settings on the ZyWALL USG hardware gateway.

We will configure the hardware gateway through the device web configurator.

1. Configure the VLAN on the ZyWALL USG to separate two wireless networks (with a different SSID).

1.1. To configure Ethernet interfaces, go to the Configuration> Network> Interface menu on the Ethernet tab.

The following interfaces will be used on the ZyWALL USG:
wan1 is an external (external) interface that receives an IP address from an ISP via DHCP.
dmz - the interface that will be used to connect a Wi-Fi access point. VLANs will be configured on it. This interface should not receive untagged traffic, therefore you should set 0.0.0.0 in the IP address settings.
lan1 - interface for connecting fixed hosts of an office LAN.

Additional information on configuring the ZyWALL USG series Security Gateway interfaces can be found in the article: "Configuring the ZyWALL USG Series Security Gateway Interface"

1.2. To configure the VLAN, go to the Configuration> Network> Interface menu on the VLAN tab.

Both VLAN interfaces ( vlan3 - for employees, vlan4 - for guests) are configured on the dmz interface with different IP addresses 192.168.3.1/24 and 192.168.4.1/24, respectively.

Configure vlan3 for wireless employees:

Configure vlan4 for wireless guest connection:

When configuring the VLAN interface, pay attention to the following fields:

• Zone : The zone to which this VLAN interface will be associated (the settings of the Firewall rules depend on this). In the case of vlan3 for employees, it will be tied to the same zone as the local office zone, where there are stationary hosts and network resources (this is LAN1 zone, it also includes the lan1 interface by default ). Guest vlan4 will be tied to the DMZ zone, which can later be separated by the Firewall rules from the LAN1 zone.

• Base Port : Make sure that the correct port has been selected to create a VLAN (in our case, this is the dmz interface).

• IP Address : Make sure that the correct subnet has been configured for this VLAN. IP addresses from this subnet will be distributed to Wi-Fi clients that will connect to the wireless network (for employees or guests).

• DHCP Setting : In this section, configure the distribution of IP addresses.
  Pay attention to the DNS settings. By default, these are empty fields and with this setting, the wireless clients will not receive the IP address of the DNS server when connected and, accordingly, will not be able to use the access to web sites by domain names. To use domain names in the First DNS Server , Second DNS Server and Third DNS Server fields, you can specify the first, second and third IP address of the DNS server, respectively, which will be sent to the client via DHCP. In these fields, you can also specify the value Custom Defined (manually assigned) and enter the IP address of the DNS server yourself. You can set the value of From ISP (from the provider) and specify the external (external) interface from which you want to get the IP address of the DNS server. If you set the ZyWALL value, the ZyWALL USG device itself will act as a DNS server, caching DNS names and accessing external DNS servers to resolve DNS queries.
  When configured, as shown in our screenshot, the device will issue IP addresses from the interface subnet, starting with the next IP address after the IP address of the interface itself, and the ZyWALL itself will act as the DNS server.

2. Configure Firewall zones and rules.

2.1. To configure zones, go to Configuration> Network> Zone .

Zones are directions that are used when creating Firewall rules and Anti-X services. The zones include device interfaces. The name of the preset zones and interfaces are the same, but the VLAN interfaces created on the basis of dmz (as in our case) can be tied to any zones regardless of where the parent interface is bound. In this example, the preset zones were used.
LAN1 zone includes lan1 interface (where stationary hosts and network resources are connected) and vlan3 (created for wireless connection of employees). Since all the resources of the local network should be available to employees, traffic between zones is not blocked (this is indicated by the Block intra-zone setting - no ).
The DMZ is used for guests, and includes a vlan4 interface. The dmz interface is also included in this zone, but in this example it is not used (it is statically set to 0.0.0.0 as the IP address). In principle, if there is a need, on this interface you can deploy the network available to guests, in this case you need to set the value no to Block intra-zone , assign the IP address to the dmz interface and connect the necessary hosts (resources) to it via the Ethernet switch.

2.2. To configure Firewall firewall rules, go to Configuration> Firewall .

For our scheme, Firewall's default rules are practically used. The following rules are important for solving the problems of our article:

• Rule # 1 - from ( From ) LAN1 zone (which includes lan1 and vlan3 interfaces ) to ( To ) any other zone ( any , except for traffic to the device itself) - allow traffic transmission ( Access - allow ). This rule allows employees connected to the lan1 interface and connected to the wireless network to contact any device interfaces without restrictions. This rule allows everything except calls to the device itself.

• Rule # 3 - from the DMZ zone (which includes the interface for wireless connection of guests of vlan4 ) to the WAN zone (zone that includes all external interfaces) - allow traffic transmission. This rule allows guests to send any traffic to the Internet. This rule can be changed depending on the access provided to guests, for example, you can allow access only on port 80 and port 443 or allow access only to certain external resources.

• Rule # 7 - from the LAN1 zone (which includes lan1 and vlan3 interfaces ) to the ZyWALL zone (a zone describing traffic to any device interfaces) - allow traffic transmission. This rule allows employees to send any traffic to the device interfaces. In this example, it is assumed that employees cannot be a source of problems in the network and for the device, therefore, to simplify employees, any traffic is allowed. In principle, in real conditions, it makes sense to allow only what will be used by the employees and why it is necessary to direct traffic to the ZyWALL itself.

• Rule # 9 - from the DMZ zone (which includes the interface for wireless connection of guests vlan4 ) to the ZyWALL zone (zone describing traffic to any device interfaces) - allow certain services described in the Default_Allow_DMZ_To_ZyWALL group object. This rule allows a set of services that you want to provide guests. For example, to work on the Internet, guests need to resolve DNS queries on the ZyWALL USG (in the event that the device acts as a DNS server). Also, by default, NetBIOS is included in this system group object (required for the device to be able to determine the NetBIOS name of the connected computer). Depending on the task, you can add or remove services from this group, thus allowing or prohibiting different services.

• Default - The default rule prohibiting everything except what was allowed above.

Depending on the tasks, the Firewall rules can flexibly adjust the necessary access parameters for all interfaces, and if necessary, for specific IP addresses or authenticated users. Details on the settings of the zones and rules of the Firewall in the ZyWALL USG can be found in the article: "Configuring the Firewall in the hardware gateways of the ZyWALL USG series"

Configuring the NWA1121-NI access point used in our scheme is described in the article: BZ-3204

In the scheme described above, instead of a hardware ZyWALL USG gateway, you can use the Keenetic Internet Center (with NDMS v2.00 firmware). Such a scheme will also work. An example of setting up a VLAN in the Keenetic Internet Center for separating access networks is presented in the article: KB-3222
But please note that the use of the Internet center, compared to the ZyWALL USG hardware gateway, has limitations in the flexibility of setting up interfaces and firewall rules (Firewall), and there is also no possibility to configure Anti-X services to organize network security.